lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <46B214B4.5080606@airscanner.com>
Date: Thu, 02 Aug 2007 13:30:28 -0400
From: Seth Fogie <seth@...scanner.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Minimo .2 and more Firefox 2.0.0.6 Password
	Manager Vulnerabilites

Airscanner Mobile Security Advisory #07080102: Minimo <=.2 and Firefox 
2.0.0.6 Product:
Minimo <=.2 and Firefox 2.0.0.6

Platform:
Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox 
2.0.0.6 Windows XP SP2

Requirements:
Mobile device running Windows Mobile Pocket PC or Firefox 2.0.0.6 on XP

Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
01/10/2007 for Minimo .016 and 07/22/2007 for Minimo .2 (Windows Mobile) 
and 08/02/2007 for Firefox 2.0.0.6

Risk Level:
High - Disclosure of sensitive information

Program Summary:
 From the website: http://www.mozilla.org/projects/minimo/

Minimo uses Mozilla Technologies to produce a highly usable web browser 
for advanced mobile devices. Features include:
* Fast access to your mobile content via Homebase start page
* Best support for modern web standards (Javascript and AJAX).
* Social Bookmarking
* Tab browsing
* RSS Support
* Proven security (TLS, SSL3)
* International support
* Cross platform capability
* Widget and Extension support

Vulnerability Details:
Minimo includes a password manager feature that allows users to store 
user/password information of sites they visit. There are two ways this 
feature can be abused. First, the action of any form can be changed 
dynamically via JavaScript, which could be introduced into a site via a 
cross-site scripting (XSS)bug. Second, the form fields can be 
automatically filled in without user interaction. As a result, a XSS bug 
could allow an attacker to inject an invisible form into a victims 
browser that could collect the user/pass without any interaction or 
visible indication.

Note: The Password Manager bug is often misunderstood for how it work. 
The reason is that there are numerous subtle variations on how the 
username and password show up. The following highlights some of these:

1. If there is only one username stored in the password manager for the 
specific, it will automatically show up in the username field. If there 
is more than one username stored in the Password Manager, a user would 
normally type in or select the specific username for the site, which 
then allows Minimo/Firefox to fill in the password. As a result, an 
attacker would have to know the username to successfully grab the 
credentials.

2. If the password field is named 'password' and there is only one 
username associated with the site, the Password Manager will 
automatically fill in both the user and password. This particular 
version was noticed by 
http://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml.

Similar Firefox bugs has been known about since mid-2006; however, 
https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c44 indicates these 
are supposedly resolved.

The details and vulnerable status of Minimo .2 and below is new.

Proof of Concept

The following webpage provides a link to two pages. The login.php page 
is just a sample form that you can enter a user/pass into. Enter and 
save some sample info and then click on the second poc.htm link. This 
will open a page with a script inside that dynamically creates a framed 
environment, one of which is essentially hidden (note: using 
style:hidden will not work). In the hidden frame, the login.php page is 
loaded, the action is changed, and the user/pass are tickled into the 
form fields. You should see two popups - one with the changed form 
action, and the other with the stored user & pass variables.

http://www.airscanner.com/tests/minimo.htm

Workaround:
Don't use password manager.

Vendor Response:
Awaiting Response.

Copyright (c) 2007 Airscanner Corp.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of Airscanner Corp. If you wish to reprint the whole or 
any part of this alert in any other medium other than electronically, 
please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use on an AS IS condition. 
There are no warranties with regard to this information. Neither the 
author nor the publisher accepts any liability for any direct, indirect, 
or consequential loss or damage arising from use of, or reliance on, 
this information.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ