Airscanner Mobile Security Advisory #07080102: Minimo <=.2 and Firefox 2.0.0.6

Product:
Minimo <=.2 and Firefox 2.0.0.6

Platform:
Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox 2.0.0.6 Windows XP SP2

Requirements:
Mobile device running Windows Mobile Pocket PC or Firefox 2.0.0.6 on XP

Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
01/10/2007 for Minimo .016 and 07/22/2007 for Minimo .2 (Windows Mobile) and 08/02/2007 for Firefox 2.0.0.6

Risk Level:
High - Disclosure of sensitive information

Program Summary:
From the website: http://www.mozilla.org/projects/minimo/

Minimo uses Mozilla Technologies to produce a highly usable web browser for advanced mobile devices. Features include:
* Fast access to your mobile content via Homebase start page
* Best support for modern web standards (Javascript and AJAX).
* Social Bookmarking
* Tab browsing
* RSS Support
* Proven security (TLS, SSL3)
* International support
* Cross platform capability
* Widget and Extension support

Vulnerability Details:
Minimo includes a password manager feature that allows users to store user/password information of sites they visit. There are two ways this feature can be abused. First, the action of any form can be changed dynamically via JavaScript, which could be introduced into a site via a cross-site scripting (XSS)bug. Second, the form fields can be automatically filled in without user interaction. As a result, a XSS bug could allow an attacker to inject an invisible form into a victims browser that could collect the user/pass without any interaction or visible indication.

Note: The Password Manager bug is often misunderstood for how it work. The reason is that there are numerous subtle variations on how the username and password show up. The following highlights some of these:

1. If there is only one username stored in the password manager for the specific, it will automatically show up in the username field. If there is more than one username stored in the Password Manager, a user would normally type in or select the specific username for the site, which then allows Minimo/Firefox to fill in the password. As a result, an attacker would have to know the username to successfully grab the credentials.

2. If the password field is named 'password' and there is only one username associated with the site, the Password Manager will automatically fill in both the user and password. This particular version was noticed by http://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml.

Similar Firefox bugs has been known about since mid-2006; however, https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c44 indicates these are supposedly resolved.

The details and vulnerable status of Minimo .2 and below is new.

Proof of Concept

The following webpage provides a link to two pages. The login.php page is just a sample form that you can enter a user/pass into. Enter and save some sample info and then click on the second poc.htm link. This will open a page with a script inside that dynamically creates a framed environment, one of which is essentially hidden (note: using style:hidden will not work). In the hidden frame, the login.php page is loaded, the action is changed, and the user/pass are tickled into the form fields. You should see two popups - one with the changed form action, and the other with the stored user & pass variables.

http://www.airscanner.com/tests/minimo.htm

Workaround:
Don't use password manager.

Vendor Response:
Update: The Mozilla security team contacted us and informed us the "The password manager used in Firefox is different code from that used in Minimo." We assumed they were the same and that the existing issues with the Password Manager in Firefox were related to Minimo. This problem is new for Minimo .2 and the developer has been contacted.

Copyright (c) 2007 Airscanner Corp.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.