Firefox for Android Crash Reporter File Manipulation

Aleph Research Advisory





Firefox for Android

Vulnerable Version

Before version 28.

Technical Details

The org.mozilla.gecko.CrashReporter class is a public activity. Its purpose is to send crash dumps to Mozilla when needed. The CrashReporter activity receives the dump file path as an input (an Intent extra parameter). When the activity is launched, its onCreate method is executed and the following actions take place:

  1. Using the moveFile (Figure III.5) method, the given minidump file is moved to the pending minidumps path, files/mozilla/Crash Reports/pending.
  2. A meta-data filename is deduced from the given minidump file path, by replacing all ’.dmp’ occurrences with ’.extra’. i.e. .dmp becomes .extra.
  3. The meta-data file is moved to the pending minidumps path using the moveFile method.
  4. The meta-data file is parsed as a key/value file format. The target server URL (i.e. the one that the crash information is sent to) is specified here using the ServerURL key.
  5. The crash dialog is presented to the user.

If the user presses the Close or Restart buttons with the ‘Send report’ check-box enabled, the minidump alongside with other sensitive information is sent to the specified server by calling the sendReport method. It should be noted that if the user has also checked the Include the address check-box, then Android logs are sent as well.

One problem is that the CrashReporter activity consumes the minidump path from the input intent although it should be considered untrusted data since the activity is public as defined in the Android Manifest file. Therefore, a malicious application can control the source path of the moved minidump file and the deduced extra file.

Another issue is that attacker to control the destination server for the crash report.



External References