lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: jruderman at hmc.edu (Jesse Ruderman)
Subject: Race conditions in security dialogs

I discovered arbitrary code execution holes in Mozilla, Internet 
Explorer, and Opera that involve human reaction time. One version of the 
attack works like this: the page contains a captcha displaying the word 
"only" and asks you to type the word to verify that you are a human.  As 
soon as you type 'n', the site attempts to install software, resulting 
in a security dialog with "Yes" and "No" buttons. When you type 'y' at 
the end of the word, you trigger the 'Yes' button in the dialog. [Demo 1 
below]

Another form of the attack involves convincing the user to double-click 
a certain spot on the screen. This spot happens to be the location where 
the 'Yes' button will appear. The first click triggers the dialog; the 
second click lands on the 'Yes' button. [Demo 2 below]

These types of attack work on any security dialog that can be triggered 
by untrusted content. The attack is most useful in a dialog where one of 
the buttons means "Yes, let this untrusted content run arbitrary code". 
Firefox has such a dialog in the form of the extension installation 
(XPI) dialog. Similarly, Internet Explorer has the ActiveX installation 
dialog and Opera has an "Open" button for downloaded executables. 
Programs other than browsers might also be vulnerable.

Mozilla's solution, from bug 162020, is to delay enabling the 
"Yes"/"Install" buttons until three seconds after the dialog appears.  
This works, but it's frustrating for users who install extensions often.

Another possible fix in web browsers is to treat all software 
installation requests like unrequested pop-ups.  When a site tries to 
install software, a status bar icon would appear, and only clicking that 
icon would activate the security dialog.  Rumor has it that IE in WinXP 
SP2 does something like this under some(?) circumstances.

The demos require Mozilla or Firefox and require that you go to 
about:config and change
signed.applets.codebase_principal_support to true.  You have to change 
this pref because I'm too lazy to make a demo using XPI (Mozilla), 
signed ActiveX (IE), or executable file download (Opera).

Demo 1 (captcha): http://bugzilla.mozilla.org/show_bug.cgi?id=162020#c25

Demo 2 (double-click): http://bugzilla.mozilla.org/show_bug.cgi?id=162020#c1

-- 
Jesse Ruderman
Mozilla project volunteer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ