lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: whbeers at mbio.ncsu.edu (Will Beers)
Subject: Re: Mozilla Firefox Certificate Spoofing

I got this working on both windows and linux versions of firefox and 
mozilla, it's been submitted and patched.

http://bugzilla.mozilla.org/show_bug.cgi?id=253121

Will Beers


Juan Carlos Navea wrote:
> Has anyone tried the proof of concept with a real ssl cert and get it working? 
> 
> I just tried it using two different ssl urls and the page only
> redirected me to the proper site. I did not see the output generated
> by document.writeln even after viewing the source.
> 
> Can anyone confirm this? I haven't seen any mention of it on bugzilla either. 
> 
> Im using: 
> 
> 0.9.2 on Windows2k
> 
> 
> On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <samuel@...reen.com> wrote:
> 
>>Has this been posted to bugilla????
>>
>>E.Kellinis wrote:
>>
>>>#########################################
>>>Application:    Mozilla Firefox
>>>Vendors:        http://www.mozilla.com
>>>Version:         0.9.1 / 0.9.2
>>>Platforms:       Windows
>>>Bug:               Certificate Spoofing (Phishing)
>>>Risk:              High
>>>Exploitation:   Remote with browser
>>>Date:             25 July 2004
>>>Author:          Emmanouel Kellinis
>>>e-mail:           me@...her(dot)org(dot)uk
>>>web:              http://www.cipher.org.uk
>>>List :              BugTraq(SecurityFocus)/ Full-Disclosure
>>>#########################################
>>>
>>>
>>>=======
>>>Product
>>>=======
>>>A popular Web browser,good alternative of IE and
>>>"The web browser" for linux machines,
>>>used to view pages on the World Wide Web.
>>>
>>>===
>>>Bug
>>>===
>>>
>>>Firefox has caching problem, as a result of that someone can
>>>spoof a certificate of any website and use it as his/her own.
>>>The problem is exploited using onunload inside  < body> and
>>>redirection using Http-equiv Refresh metatag,document.write()
>>>and document.close()
>>>
>>>First you direct the redirection metatag to the website
>>>of which you want to spoof the certificate, then inside
>>>the < body> tag you add onulnoad script so you can control
>>>the output inside the webpage with the spoofed certificate.
>>>
>>>After that you say to firefox, as soon as you unload this page
>>>close the stream, aparently the stream you close is
>>>the redirection website, you do that with
>>>document.close().
>>>
>>>Now you can write anything you want , you do that
>>>using document.write(). After writing the content of you choice
>>>you close the stream again , usually firefox wont display your content,
>>>although if you check the source code you see it , so the last thing
>>>is to refresh the new page (do that using window.location.reload()),
>>>after that you have your domain name in the url field , your content
>>>in the browser and the magic yellow Lock on the bottom left corner,
>>>if you pass your mouse over it you will see displayed the name of
>>>the website you spoofed the certificate, if you double click on it you
>>>will check full information of the certificate without any warning !
>>>
>>>You dont need to have SSL in your website ! it will work with
>>>http.
>>>
>>>Additional using this bug malicious websites can bypass content
>>>filtering using SSL properties.
>>>
>>>
>>>=====================
>>>Proof Of Concept Code
>>>=====================
>>>
>>>< HTML>
>>>< HEAD>
>>>< TITLE>Spoofer< /TITLE>
>>>< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
>>>< /HEAD>
>>>< BODY
>>>onunload="
>>>document.close();
>>>document.writeln('< body onload=document.close();break;>
>>>            < h3>It is Great to Use example's Cert!');
>>>
>>>document.close();
>>>window.location.reload();
>>>">
>>>< /body>
>>>
>>>
>>>=========================================================
>>>*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
>>>=========================================================
>>
>>--
>>Stephen Samuel +1(604)876-0426                samuel@...reen.com
>>                   http://www.bcgreen.com/~samuel/
>>    Powerful committed communication. Transformation touching
>>      the jewel within each person and bringing it to light.
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3186 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040731/24f57402/smime.bin

Powered by blists - more mailing lists