lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 Dec 2011 08:09:12 +1100 From: xD 0x41 <secn3t@...il.com> To: Michele Orru <antisnatchor@...il.com>, Michal Zalewski <lcamtuf@...edump.cx> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: fast and somewhat reliable cache timing Yea, is interesting, i tested it on Firefox v8 windowsXP platform and it did not find anything, mind you i use 'private browsing' for *all* browsing... so i am wondering if that maybe helps keeping my cache secure... i also noticed that it returned no results, when in fact i had just been redirected from gmail to there, wich would mean google.com would have shown... so, private-browsing must be a safer way to browse.. very awesome PoC, i do recall also some botnet source codes in .cpp codes of bots wich can dump caches of upto i think FF4 or so now..when the dlls were used to store things possibly... i have not kept up with it, but that was in alot of bots, just called pstore.cpp and similarly the cmd could be done with .pstore website.com ,and that would do a cache search, for abut 5-6 browsers in one.. it managed to work with IE and FF anyhow, i tested srcs of 120- and nzmbot and they were able to extract infos they shouldnt have... Your eBook is definately on my to read list, and i am already l;ooking at the chapter.3 you give away free on your blog, actually, i know *anything* you write about, is going to be good :) cheers mate. d On 3 December 2011 22:50, Michele Orru <antisnatchor@...il.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Great PoC Michal, > > I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX > 10.6.8 and is reliable. > > I'm certainly adding it to the BeEF project. > > Cheers > antisnatchor > > Michal Zalewski wrote: >> Evening, >> >> This party trick is not particularly exciting, but hopefully >> highlights a vaguely interesting point: >> >> http://lcamtuf.coredump.cx/cachetime/ >> >> In essence, in the past few years, browser vendors have severely >> crippled CSS :visited selectors in order to prevent CSS-based history >> snooping that made the headlines not long ago (see, for example, >> http://wtikay.com). Although it's fairly obvious that other privacy >> side channels, such as cache timing, theoretically disclose comparable >> data, the attacks demonstrated so far offered, at best, vaguely >> probabilistic results (say, >> http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that, >> cache probing was considered destructive, which significantly limited >> its usability. >> >> Consequently, an argument was made that CSS :visited offered unique >> performance and reliability benefits and needed to be addressed >> separately, while no serious work takes place on the remaining >> vectors. >> >> My PoC exploits cache timing in Firefox in what appears to be a fairly >> fast and reliable way. It is a crude hack, so it will probably fail >> for some of you - but it's probably still interesting. The key point >> is that to probe for cached content without immediately polluting the >> cache, we abort navigation before the HTTP request is made. We also >> work around setTimeout / setInterval clamps by leveraging event >> delivery. >> >> PS. If this is even remotely interesting, you may also enjoy >> http://lcamtuf.coredump.cx/tangled/ >> >> Cheers, >> /mz >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW > C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR > 7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX > 50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm > 11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk > Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE= > =nUp+ > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists