lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6905b1570702111347v283dfbcbse8cb162c9f9bedfd@mail.gmail.com>
Date: Sun, 11 Feb 2007 21:47:31 +0000
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Michal Zalewski" <lcamtuf@...ne.ids.pl>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Firefox focus stealing vulnerability
	(possibly other browsers)

Well, :) I cannot see how you can force someone to type / at least
twice. Even if the targeted user writes a blog entry it is very
unlikely that he/she will use / . I guess this vector works well on
wikies and other systems that allow you to specify the text format
through meta-characters.

The cool think about stealing the address bar focus is that a confused
user will try to repeat typing the url again and that may give you
enough slashes and other characters to steal /etc/shadow or
/etc/passwd for example, which means that this attack vector can work
virtually every where. For example:

Joe visits eveil.com. He is not interested in the site but evil.com is
interested in his files. Joe types http://[what ever]. evil.com
hijacks the address bar focus. This is how they get the first /. Joe
will probably repeat to type stuff in the address bar again. The rest
of the characters are not obtained.

Now of course Joe will realise that he is not typing in the address
bar but he will probably think that either the browser is screwed up
or that he forgot to select the address bar first (it happens all the
time).

So, this is why I think that combination of both issues can create one
hell of a good attack.

Here is another idea.

Joe visits Betty's MySpace private page. The page contains XSS. On the
page there is an input box and a captcha. The user is asked to enter
the text in the captcha in order to access the page. The captcha is:

pde/t/aswsc

Joe enters the text but the he receives a complain that his input is
incorrect. The attacker repeats the process until all required
characters are entered into the FILE INPUT box.

simple.

On 2/11/07, Michal Zalewski <lcamtuf@...ne.ids.pl> wrote:
> On Sun, 11 Feb 2007, pdp (architect) wrote:
>
> > here is an idea... we can combine both techniques into a single
> > attack... the hardest part of your hack is to force the user to type
> > :// plus several other /
>
> Actually, MSIE doesn't require drive specification in the filename, and
> will probably accept relative paths as well (so you might not need \
> either when picking files from the desktop or 'my documents' or whatnot).
>
> Firefox won't settle for a path without drive specification (but it will
> accept SMB requests ;-). On *nix systems, of course, aiming /etc/passwd is
> easier than C:\whatever.
>
> The problem with intercepting address bar input is that you can't echo the
> entered text back there without unloading the current document and its
> scripts; in my examples, I tried to make sure that it's hard for the user
> to notice that his input is not going where it should (in MSIE example,
> this includes simulation of a blinking cursor).
>
> /mz
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ