Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

from [Will Beers] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing
Date: Sat, 31 Jul 2004 13:00:11 -0400
I got this working on both windows and linux versions of firefox and mozilla, it's been submitted and patched.

http://bugzilla.mozilla.org/show_bug.cgi?id=253121

Will Beers


Juan Carlos Navea wrote:
Has anyone tried the proof of concept with a real ssl cert and get it working? 

I just tried it using two different ssl urls and the page only
redirected me to the proper site. I did not see the output generated
by document.writeln even after viewing the source.

Can anyone confirm this? I haven't seen any mention of it on bugzilla either.

Im using: 

0.9.2 on Windows2k


On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <samuel@bcgreen.com> 
wrote:

Has this been posted to bugilla????

E.Kellinis wrote:

#########################################
Application:    Mozilla Firefox
Vendors:        http://www.mozilla.com
Version:         0.9.1 / 0.9.2
Platforms:       Windows
Bug:               Certificate Spoofing (Phishing)
Risk:              High
Exploitation:   Remote with browser
Date:             25 July 2004
Author:          Emmanouel Kellinis
e-mail:           me@cipher(dot)org(dot)uk
web:              http://www.cipher.org.uk
List :              BugTraq(SecurityFocus)/ Full-Disclosure
#########################################


=======
Product
=======
A popular Web browser,good alternative of IE and
"The web browser" for linux machines,
used to view pages on the World Wide Web.

===
Bug
===

Firefox has caching problem, as a result of that someone can
spoof a certificate of any website and use it as his/her own.
The problem is exploited using onunload inside  < body> and
redirection using Http-equiv Refresh metatag,document.write()
and document.close()

First you direct the redirection metatag to the website
of which you want to spoof the certificate, then inside
the < body> tag you add onulnoad script so you can control
the output inside the webpage with the spoofed certificate.

After that you say to firefox, as soon as you unload this page
close the stream, aparently the stream you close is
the redirection website, you do that with
document.close().

Now you can write anything you want , you do that
using document.write(). After writing the content of you choice
you close the stream again , usually firefox wont display your content,
although if you check the source code you see it , so the last thing
is to refresh the new page (do that using window.location.reload()),
after that you have your domain name in the url field , your content
in the browser and the magic yellow Lock on the bottom left corner,
if you pass your mouse over it you will see displayed the name of
the website you spoofed the certificate, if you double click on it you
will check full information of the certificate without any warning !

You dont need to have SSL in your website ! it will work with
http.

Additional using this bug malicious websites can bypass content
filtering using SSL properties.


=====================
Proof Of Concept Code
=====================

< HTML>
< HEAD>
< TITLE>Spoofer< /TITLE>
< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com";>
< /HEAD>
< BODY
onunload="
document.close();
document.writeln('< body onload=document.close();break;>
           < h3>It is Great to Use example's Cert!');

document.close();
window.location.reload();
">
< /body>


=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================


--
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
                  http://www.bcgreen.com/~samuel/
   Powerful committed communication. Transformation touching
     the jewel within each person and bringing it to light.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-Disclosure] FullDisclosure: CWS removal tools, Todd Towles
Next by Date:  Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing, Peter Besenbruch
Previous by Thread:  Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing, Juan Carlos Navea
Next by Thread:  Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing, Peter Besenbruch
Indexes:  [Date] [Thread] [Top] [All Lists]