lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTinLNGUGKG3Zy9TkoUbEXMLcSL_TMWbk5DgS-Oe0@mail.gmail.com>
Date: Mon, 28 Jun 2010 06:51:56 -0700
From: Chris Evans <scarybeasts@...il.com>
To: Lavakumar Kuppan <lava@...labs.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Chrome and Safari users open to stealth HTML5
	Application Cache attack

Hello Lava,

It's an interesting twist but it does not seem to offer network
attackers any additional advantage beyond what they can already
achieve.

For example, a similar attack works against the Firefox and Opera
browsers I have installed on my laptop:

echo -ne 'HTTP/1.1 200 OK\r\nContent-Type:
text/html\r\nContent-Length: 28\r\nExpires: Sat, 01 Jan 2011 00:00:00
GMT\r\n\r\n<script>alert("hi")</script>' | nc -l -p 8080

In both instances, you can prime the cache for the root resource with
this payload. If you then completely restart the browsers, you'll see
that localhost:8080/ will still execute the script without even
consulting the network.

(Caching headers are browser and version sensitive so you may have to
fiddle with Max-Age, Cache-Control etc. depending on what you have).

In terms of your documented attack, the fake login page (step 6) is
shown over plain HTTP, i.e. the SSL lock icon will be missing. This
would be the same user experience as if the user were under attack via
SSLstrip.

In summary, any http hit on an insecure network is dangerous on all browsers.
(FWIW, Chromium resolves this for me. When I type mail<enter> into the
omnibar, it auto-completes to https://mail.google.com/)


Cheers
Chris

On Sun, Jun 27, 2010 at 3:28 PM, Lavakumar Kuppan <lava@...labs.org> wrote:
> Google Chrome and Safari support HTML5 Application Cache.
> But unlike Firefox and Opera they do not ask for user permission before
> allowing a site to create an Application Cache.
> On unsecured networks, attackers could stealthily
> create malicious Application Caches in the browser of victims for even HTTPS
> sites.
> It has always been possible to poison the browser cache and compromise the
> victim's account for HTTP based sites.
> With HTML5 Application Cache, it is possible to poison the cache of even
> HTTPS sites.
> Details
> - http://blog.andlabs.org/2010/06/chrome-and-safari-users-open-to-stealth.html
> I have also released a POC using which both Facebook and Gmail can be
> compromised.
> POC - http://www.andlabs.org/tools/imposter/imposter_poc.zip
> Video - http://www.youtube.com/watch?v=00sKMMyXJsI
>
> Cheers,
> Lava
> http://www.andlabs.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ