[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3b28167f0407310740138ffbc@mail.gmail.com>
From: loconet at gmail.com (Juan Carlos Navea)
Subject: Re: Mozilla Firefox Certificate Spoofing
Has anyone tried the proof of concept with a real ssl cert and get it working?
I just tried it using two different ssl urls and the page only
redirected me to the proper site. I did not see the output generated
by document.writeln even after viewing the source.
Can anyone confirm this? I haven't seen any mention of it on bugzilla either.
Im using:
0.9.2 on Windows2k
On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <samuel@...reen.com> wrote:
> Has this been posted to bugilla????
>
> E.Kellinis wrote:
> > #########################################
> > Application: Mozilla Firefox
> > Vendors: http://www.mozilla.com
> > Version: 0.9.1 / 0.9.2
> > Platforms: Windows
> > Bug: Certificate Spoofing (Phishing)
> > Risk: High
> > Exploitation: Remote with browser
> > Date: 25 July 2004
> > Author: Emmanouel Kellinis
> > e-mail: me@...her(dot)org(dot)uk
> > web: http://www.cipher.org.uk
> > List : BugTraq(SecurityFocus)/ Full-Disclosure
> > #########################################
> >
> >
> > =======
> > Product
> > =======
> > A popular Web browser,good alternative of IE and
> > "The web browser" for linux machines,
> > used to view pages on the World Wide Web.
> >
> > ===
> > Bug
> > ===
> >
> > Firefox has caching problem, as a result of that someone can
> > spoof a certificate of any website and use it as his/her own.
> > The problem is exploited using onunload inside < body> and
> > redirection using Http-equiv Refresh metatag,document.write()
> > and document.close()
> >
> > First you direct the redirection metatag to the website
> > of which you want to spoof the certificate, then inside
> > the < body> tag you add onulnoad script so you can control
> > the output inside the webpage with the spoofed certificate.
> >
> > After that you say to firefox, as soon as you unload this page
> > close the stream, aparently the stream you close is
> > the redirection website, you do that with
> > document.close().
> >
> > Now you can write anything you want , you do that
> > using document.write(). After writing the content of you choice
> > you close the stream again , usually firefox wont display your content,
> > although if you check the source code you see it , so the last thing
> > is to refresh the new page (do that using window.location.reload()),
> > after that you have your domain name in the url field , your content
> > in the browser and the magic yellow Lock on the bottom left corner,
> > if you pass your mouse over it you will see displayed the name of
> > the website you spoofed the certificate, if you double click on it you
> > will check full information of the certificate without any warning !
> >
> > You dont need to have SSL in your website ! it will work with
> > http.
> >
> > Additional using this bug malicious websites can bypass content
> > filtering using SSL properties.
> >
> >
> > =====================
> > Proof Of Concept Code
> > =====================
> >
> > < HTML>
> > < HEAD>
> > < TITLE>Spoofer< /TITLE>
> > < META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
> > < /HEAD>
> > < BODY
> > onunload="
> > document.close();
> > document.writeln('< body onload=document.close();break;>
> > < h3>It is Great to Use example's Cert!');
> >
> > document.close();
> > window.location.reload();
> > ">
> > < /body>
> >
> >
> > =========================================================
> > *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
> > =========================================================
>
> --
> Stephen Samuel +1(604)876-0426 samuel@...reen.com
> http://www.bcgreen.com/~samuel/
> Powerful committed communication. Transformation touching
> the jewel within each person and bringing it to light.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
http://scott.telnetd.com/loco/
Powered by blists - more mailing lists