lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4106A893.1050502@wavetex.com>
Date: Tue, 27 Jul 2004 14:10:11 -0500
From: Chris Brown <chris@...etex.com>
To: bugtraq@...urityfocus.com
Subject: Re: Mozilla Firefox Certificate Spoofing


Your example appears to work with Linux (Fedora FC1, Firefox 9.1) as well.

Chris

E.Kellinis wrote:

>#########################################
>Application:    Mozilla Firefox
>Vendors:        http://www.mozilla.com
>Version:         0.9.1 / 0.9.2
>Platforms:       Windows
>Bug:               Certificate Spoofing (Phishing)
>Risk:              High
>Exploitation:   Remote with browser
>Date:             25 July 2004
>Author:          Emmanouel Kellinis
>e-mail:           me@...her(dot)org(dot)uk
>web:              http://www.cipher.org.uk
>List :              BugTraq(SecurityFocus)/ Full-Disclosure
>#########################################
>
>
>=======
>Product
>=======
>A popular Web browser,good alternative of IE and 
>"The web browser" for linux machines,
>used to view pages on the World Wide Web.
>
>===
>Bug
>===
>
>Firefox has caching problem, as a result of that someone can 
>spoof a certificate of any website and use it as his/her own.
>The problem is exploited using onunload inside  < body> and 
>redirection using Http-equiv Refresh metatag,document.write()
>and document.close()
>
>First you direct the redirection metatag to the website 
>of which you want to spoof the certificate, then inside 
>the < body> tag you add onulnoad script so you can control
>the output inside the webpage with the spoofed certificate.
>
>After that you say to firefox, as soon as you unload this page 
>close the stream, aparently the stream you close is 
>the redirection website, you do that with 
>document.close().
>
>Now you can write anything you want , you do that 
>using document.write(). After writing the content of you choice
>you close the stream again , usually firefox wont display your content,
>although if you check the source code you see it , so the last thing 
>is to refresh the new page (do that using window.location.reload()), 
>after that you have your domain name in the url field , your content 
>in the browser and the magic yellow Lock on the bottom left corner, 
>if you pass your mouse over it you will see displayed the name of 
>the website you spoofed the certificate, if you double click on it you 
>will check full information of the certificate without any warning !
>
>You dont need to have SSL in your website ! it will work with 
>http.
>
>Additional using this bug malicious websites can bypass content 
>filtering using SSL properties.
>
>
>=====================
>Proof Of Concept Code
>=====================
>
>< HTML>
>< HEAD>
>< TITLE>Spoofer< /TITLE>
>< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
>< /HEAD>
>< BODY 
>onunload="
>document.close();
>document.writeln('< body onload=document.close();break;>
>            < h3>It is Great to Use example's Cert!');
>
>document.close();
>window.location.reload();
>">
>< /body>
>
>
>=========================================================
>*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
>=========================================================
>
>
>  
>

-- 
Chris Brown
System Administrator
Wavetex Inc.
903-597-7566	http://wavetex.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ