lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 01 Jun 2009 11:37:22 -0400
From: Valdis.Kletnieks@...edu
To: FFSpy Buster <ffspybuster@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Is FFSpy a hoax?

On Sat, 30 May 2009 12:31:03 +0530, FFSpy Buster said:

> He suggests that Firefox must do something to notify the user when an addon
> has been compromised by a remote attacker. He agrees that the remote
> attacker has to gain physical or local access of the system by remotely
> logging in or something.

I wouldn't rank it as a major panic, but it *is* pointing out an interesting
and little-considered place for an attacker who has gotten access to leave a
back door for themselves. Most security books will tell you to check places
like 'crontab', and I've seen backdoors and other attacks hidden in .vimrc and
.gdbinit files, but don't mention browser plugins and add-ons.  This is a bit
more nefarious because the API and packaging of Firefox add-ons isn't well
understood by most people, so it's hard to tell where exactly to look, and for
what.

>                            Let us say the attacker ssh-ed or telnet-ed into
> the user's PC and modified an addon. What measures can Firefox take to
> notify the user of the modification?
> 
> I can't imagine of any because if it is digital signature or checksum based,
> the attacker can very well modify the public key or the checksum in
> Firefox's store. So, this whole FFSpy thing sounds like a hoax to me, an
> unnecessary panic being created by Duarte Silva. Please correct me, if I am
> wrong.

The trick is to take the signature/checksum and store it someplace that
isn't writable by the user.  For instance, the venerable Tripwire or the
more recent Aide will be able to detect this sort of attack - and if you're
really paranoid and store the Tripwire keys and database offline (cd-rom or
USB key, etc), it will even be able to work if the system gets compromised
(booting off known clean media needed for this one, of course).




Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ