lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 23 Jun 2008 20:12:59 +0200
From: "azurIt" <azurit@...ox.sk>
To: bugtraq@...urityfocus.com
Subject: Firefox 3.0 security bug: Extensions can STILL hide themselves

Background
----------
Firefox is very popular and secure web browser. Until now, it is used by
millions of people and thousands of internet clubs. One of the great features of
Firefox are extensions. You can use them to create things inside your browser
which are beyond your imagination.

Overview
--------
Every Firefox extensions developer knows the 'hidden' property of 'install
manifest'. This property can be used to hide _globally_ installed extensions and
it can't hide only local extension (this is a design feature so the extensions
installed by users can't be hidden). But there is another way to make extension
hidden..

Did you know that you can't trust to what Extensions manager is saying ? For
detailed information look at the function 'hide_me()' in file
'src/chrome/content/ffsniff/ffsniffOverlay_orig.js' of my PoC. This bug was in
older versions of Firefox and was 'inherited' also in Firefox 3.

Proof of Concept
----------------
As a PoC I updated my Firefox sniffer extension (FFsniFF) so now it's compatible
with Firefox 3 (was released today). You can download it here:
http://azurit.elbiahosting.sk/ffsniff/

The new version (0.3) was tested with Firefox 2.0 and 3.0 .

FFsniFF is a simple Firefox extension, which transforms your browser into the
html form sniffer. Every time the user click on 'Submit' button, FFsniFF will
try to find a non-blank password field in the form. If it's found, entire form
(also with URL) is sent to the specified e-mail address. It also has the ability
to hide itself from 'Extensions manager'.

Solution
--------
There's no solution for this problem at this time.

azurIt, azurIt@...net, azurit (at) pobox (dot) sk


Powered by blists - more mailing lists