bargainshare.com > Exploit discovered on all non IE browsers

Full Version: Exploit discovered on all non IE browsers

bargainshare.com > Community > Computer & Tech Help

Miranda

2-7-05, 3:33am

http://www.dpadz.com/index/video-games/maj...loit-discovered

QUOTE

Firefox browser exploit discovered on all non IE browsers! Mozilla, Opera, Safari affected

Oh crap, just discovered this through BoingBoing. Looks like an east coast hacker convention Shmoocon has discovered a serious bug in many non Explorer browsers. Firefox, Mozilla, Opera, Safari all affected. There is now a way to spoof even SSL urls.

For the non technical, it is now possible for phishing emails to put bogus links to official looking but fake versions of major commercial sites like Paypal or Amazon while disguising the bogus links when a user mouse overs the link.

An example is show on this page.
http://www.shmoo.com/idn/

Hover your mouse over the links. The top link points to what appears to be the regular Paypal link. The second link points to the seemingly secure Paypal site. Now click on both those links. Not Paypal is it?

The Firefox/Mozilla fix is copied and pasted below.

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.

2) Scroll down to the line beginning network.enableIDN—this is International Domain Name support, and it is causing the problem here. We want to turn this off—for now. Ideally we want to support international domain names, but not with this problem.

3) Double-click the network.enableIDN label, and Firefox will show a dialog set to ‘true’. Change it to ‘false’ (no quotes!), click Ok. You are done.

4) Go check out the shmoo demo again and notice it no longer works.

Snip from the Shmoo page.

2002 - Original paper published on homograph attacks
2002-2005 - Verisign pushes IDN, and browsers start adding support for it
Jan 19, 2005 - Vendors notified of vulnerability
Feb 6, 2005 - Public disclosure @shmoocon 2005

Vendor Responses
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.

garsh

2-7-05, 4:11am

Interesting. The link looks like this in the source:

CODE

<a href='https://www.pаypal.com/'>Click here to enter paypal via ssl</a>

So it looks like some issue with using an international character set. IE actually displays it the same way that Mozilla does, but clicking on the link in IE takes you to a "link broken" page, so it sounds like IE was "saved" by the existence of another bug.

Also, the "fix" listed above did not work for me in Firefox 1.0.

scaryjerry

2-7-05, 4:16am

QUOTE(garsh @ 2-7-05, 7:11am)

Also, the "fix" listed above did not work for me in Firefox 1.0.

izx

2-7-05, 9:38am

QUOTE(scaryjerry @ 2-7-05, 7:16am)

Odd, setting network.enableIDN to false in about:config worked for me. Now clicking on the schmoo links gives a 'www.paypal.com could not be found' error.

garsh

2-7-05, 10:14am

QUOTE(izx @ 2-7-05, 12:38pm)

Odd, setting network.enableIDN to false in about:config worked for me. Now clicking on the schmoo links gives a 'www.paypal.com could not be found' error.

It works fine until you restart.

Then you have to toggle it to true again, then back to false before it actually disables it again. Repeat each time you start up the browser.

izx

2-7-05, 10:50am

True, my bad. Fickle Firefox. To correct:

Paste the following line into an empty text file:

CODE

user_pref("network.enableIDN", false);

and save the file as "user.js" in C:\Program Files\Mozilla Firefox\defaults\profile .

This directory may vary; to be sure, search from the Firefox install folder for a file called "prefs.js". Whatever directory this is in, that's where "user.js" goes.

This basically hardcodes the setting, and Firefox will apply it on every startup.

Should you already have an user.js file, you know how this method works so just edit the file to put this pref in.

Miranda

2-7-05, 1:31pm

QUOTE(izx @ 2-7-05, 10:50am)

True, my bad. Fickle Firefox. To correct:

Paste the following line into an empty text file:

CODE

user_pref("network.enableIDN", false);

I still get the meeow page.

I added user_pref("network.enableIDN", false); to user.js using ChromEdit. Restarted Firefox, went back to shmoo and it still took me to the meeow page. So I restarted my computer... still the same thing.

I noticed that ChromEdit was saving to my Application Data folder instead of in Program Files, so I added a user.js file to the profile folder in Program Files and copied and pasted everything from the user.js file in my Application Data folder to the Program Files one. Still doesn't work.

I checked about:config and network.enableIDN shows as "user set" "false".

I've restarted Firefox and my computer multiple times, but still get the meeow page.

I even tried changing "user_pref" to "pref" in both user.js files (it showed as "default" "false" in about:config), but even that didn't work.

I'm using Firefox 1.0, BTW. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 (ax)

kathologist

2-7-05, 8:21pm

[quote=Miranda,2-7-05, 1:31pm]

Try this (from BBR)

reply to BeesTea
The workaround for firefox seems to be an edit to your compreg.dat.

For windowsSettings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat

For UNIX
~/.mozilla/firefox/default.random/compreg.dat

Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.

Here's an example entry.

{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

Cheers,
-BeesT
c:\Documents and

tolik

2-7-05, 8:44pm

jeez. nice catch.

if the settings aren't being saved, there must be some setting in mozilla that lets you save them automatically, it does for me after I changed it in about:config once. seems this potential problem has been around for a while...

Last updated on January 27, 2003

and seems like the reason IE isn't affected is that they haven't even ATTEMPTED to put in the international domain name recognition yet

wmspringer

2-7-05, 9:22pm

Just goes to show you should never trust anything you see online :-)

As yes, IE sucks :-)

Miranda

2-7-05, 10:32pm

I haven't been able to try out kathologist's suggestion since I'm not using my computer right now.

But I searched on BBR too and found this

QUOTE

For you Proxomitron users out there, here's a quick hack:

CODE

Name = "IDN Removal"
Active = TRUE
Bounds = "$NEST(<a(rea|),<(/a(rea|)|br)>)"
Limit = 1025
Match = "*href=$AV(*&#[0-9]+;*)*"
Replace = "Removed IDN exploitable URL"

I haven't tested that yet. As I said before, I'm not using my other computer and also can't test it out since I don't have Proxomitron.

Miranda

2-7-05, 10:45pm

A reply on BBR (broadbandreports, for you folks wondering what BBR is) to BeesTea's compreg.dat fix. Here's a link to the thread over there, if you guys want to take a look at it

http://www.broadbandreports.com/forum/rema...=flat~days=9999

QUOTE

From Mozillazine forums: More info (for those not using proxy)

quote:
--------------------------------------------------------------------------------
Isn't compreg.dat re-created anytime you install a new plugin/extension installed ? and wouldn't that overwrite the old file with the commented out line (not sure if FF respects the readonly attribute either, a la cookies.txt)... I haven't tested this as I haven't had the time and as i'm not really all that concerned with the IDN issue (based on my browsing habits)...
--------------------------------------------------------------------------------

quote:
--------------------------------------------------------------------------------
well i got a chance to test... and unless u make the file readonly the edit will be OVERwritten on new plugin/extension installation. also keeping readonly may prevent your newly installed extension/plugin from registering properly... SO... make sure reedit the file after extension/plugin installation....

From wilder's security forums:

quote:
--------------------------------------------------------------------------------
Just added info ... Kye-U's Filters V4.30 for Proxomitron also prevent this exploit.

Kye-U's Forum (link to post) - http://www.kye-u.com/proxo/forums/index.ph...=225&#entry3846
Direct Download of Kye-U's V4.30 .cfg ~Zipped~ - http://www.kye-u.com/proxo/dp/download.php?file=18
(I hope, you don't mind me posting a direct link Kye-U)
--------------------------------------------------------------------------------

There's also another Proxomitron fix:

CODE

[Patterns]
Name = "Spoofed Address Exploit [Kye-U]"
Active = TRUE
URL = "(^$TYPE(css))"
Bounds = "($NEST(<(([a-z]+{1,*})|*=\s),</([a-z]+{1,*})>)|$NEST(<(([a-z]+{1,*})|*=\s),>))"
Limit = 1024
Match = "\0://(\1.([a-z]+{2,4})|*.*/)((?%00|(((%|&#)0[01])+{1,2})))[^/]++[@|%40]\2"
"|\0://(\1.([a-z]+{2,4})|*.*/)%2F((%20|\s)+{1,*})[^/]++.\2"
"|\0://(\1.([a-z]+{2,4})|*.*/)%(2F|01)[@|%40]\2"
"|\0://(\w.|)\w&#*;\w.([a-z]+{2,4})*"
"|\0://(*|)xn--*.([a-z]+{2,4})*"
Replace = "<strong>[URL Spoofing Exploit Removed]</strong>"
"$ALERT(URL Spoofing Vulnerability Detected and Removed on:\n\n\u)"

izx

2-7-05, 11:45pm

INstalling Proxomitron just for this might be overkill. AdBlock has mostly eliminated its utility for most people, although Proxomitron is still a wonderful diagnostic tool. Shame development on it stopped.

garsh

2-8-05, 1:50am

QUOTE(tolik @ 2-7-05, 11:44pm)

if the settings aren't being saved...

The about:config setting is being saved. It's just not being read in at startup.

dasnufus

2-8-05, 1:56am

the vulerability in FF will probably be fixed really soon.

Thank goodness this does not affect IE. Knowing MS they would either 1) Deny that its a problem or 2) acknowledge its a problem and will fix it in about a month.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.