Mozilla / Firefox / Camino IDN Spoofing Security Issue

ronjor · #1 February 7th, 2005, 11:33 AM

Quote:

Eric Johanson has reported a security issue in Mozilla / Firefox / Camino, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar.

Secunia
Netscape
Opera

#2 February 7th, 2005, 11:38 AM

Test your browser vulnerability -> http://secunia.com/multiple_browsers_idn_spoofing_test/

#3 February 7th, 2005, 10:47 PM

Hi All,

Here's a Work around for FireFox: Use about:config and set 'network.enableIDN' : False

And run the Test again.

EDIT: This Work Around will reset after you close FF, and leave you unprotected when FF is next launched. Read lynchknot Post Below, for a better solution.

Thanks lynchknot

HTH,

Steve

ronjor · #4 February 7th, 2005, 11:01 PM

Firefox support forum sticky.

Firefox Support Forums

lynchknot · #5 February 7th, 2005, 11:13 PM

does not work - this does: http://forums.mozillazine.org/viewto...light=#1216193

http://www.dslreports.com/forum/rema...rt=20#12607819

Quote:

The workaround for firefox seems to be an edit to your compreg.dat.

For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat

For UNIX
~/.mozilla/firefox/default.random/compreg.dat

Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.

Here's an example entry.

{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

Cheers,
-BeesT

Quote:

It works. After making a backup of compreg.dat i placed

#

to remark out the line BeesTea See Profile mentioned. Exploit fails

Quote:

Confirmed on Linux, also.

Thanks again, BeesTea

http://img237.exs.cx/img237/1719/pay0nw.jpg

#6 February 7th, 2005, 11:45 PM

It works for me (Use about:config and set 'network.enableIDN' : False) ... See ScreenShot (diect connection / not using Proxomitron)

Steve

lynchknot · #7 February 7th, 2005, 11:56 PM

It only works once. Shut down Firefox all the way and try again (it's been reported as only works per session)

Quote:

I've also tried the work around (about:config, setting enableIDN to false). This only works while Firefox is running. Once it restarts IDN works even though the setting is still false. You have to enable and re disable each time you run Firefox. It looks like a bug in Firefox's initialisation.http://forums.mozillazine.org/viewto...age=15&start=0

-

Unless:

Quote:

It is fixed in recent nightly builds, I'm using one dated 06/02/2005, and IDN stays disabled when it restarts

bigc73542 · #8 February 7th, 2005, 11:59 PM

'network.enableIDN' : False It doesn't work for me in firefox or mozilla 1.7.5

#9 February 8th, 2005, 12:02 AM

Quote:

Originally Posted by lynchknot

It only works once. Shut down Firefox all the way and try again (it's been reported as only works per session)

Thanks lynchknot ... You are correct. I'll use the method you posted.

Thanks

Steve

Ps. I edited my original Post regard the work around to reflect this.

lynchknot · #10 February 8th, 2005, 12:15 AM

Quote:

Originally Posted by dog

Thanks lynchknot ... You are correct. I'll use the method you posted.

well, I'm only reporting what I see - credit goes to "BeesTea" at dslreports

#11 February 8th, 2005, 12:28 AM

Just added info ... Kye-U's Filters V4.30 for Proxomitron also prevent this exploit.

Kye-U's Forum (link to post) - http://www.kye-u.com/proxo/forums/in...225&#entry3846
Direct Download of Kye-U's V4.30 .cfg ~Zipped~ - http://www.kye-u.com/proxo/dp/download.php?file=18
(I hope, you don't mind me posting a direct link Kye-U)

Steve

Edit - The Forum is up

It was a bad link I posted. Sorry Kye-U.

Kye-U · #12 February 8th, 2005, 12:40 AM

Quote:

Originally Posted by dog

Just added info ... Kye-U's Filters V4.30 for Proxomitron also prevent this exploit.

Kye-U's Forum (link to post) - http://www.kye-u.com/proxo/forums/i...ic=131&st=225&#
Direct Download of Kye-U's V4.30 .cfg ~Zipped~ - http://www.kye-u.com/proxo/dp/download.php?file=18
(I hope, you don't mind me posting a direct link Kye-U)

Steve

Edit: Sorry Kye-U's Forums seem to be down at the moment.

Up for me ^_^

Sorry, my server is up and down like a yo-yo.

I don't mind

Thanks for including my pack into this topic

For those who just want the Proxomitron filter to remove this exploit, here it is:

Code:

[Patterns]
Name = "Spoofed Address Exploit [Kye-U]"
Active = TRUE
URL = "(^$TYPE(css))"
Bounds = "($NEST(<(([a-z]+{1,*})|*=\s),</([a-z]+{1,*})>)|$NEST(<(([a-z]+{1,*})|*=\s),>))"
Limit = 1024
Match = "\0://(\1.([a-z]+{2,4})|*.*/)((?%00|(((%|\&#)0[01])+{1,2})))[^/]++[@|%40]\2"
        "|\0://(\1.([a-z]+{2,4})|*.*/)%2F((%20|\s)+{1,*})[^/]++.\2"
        "|\0://(\1.([a-z]+{2,4})|*.*/)%(2F|01)[@|%40]\2"
        "|\0://(\w.|)\w\&#*;\w.([a-z]+{2,4})*"
        "|\0://(*|)xn--*.([a-z]+{2,4})*"
        "$SET(\9=Think you're on Microsoft but you're on Yahoo? This filter will prevent the threat of such a situation."
        ""
        "http://www.securityfocus.com/bid/10517/info/"
        "http://secunia.com/advisories/10395/"
        "http://www.securityfocus.com/bid/10532/info/)"
Replace = "<strong>[URL Spoofing Exploit Removed]</strong>"
          "$ALERT(URL Spoofing Vulnerability Detected and Removed on:\n\n\u)"

lynchknot · #13 February 8th, 2005, 01:03 AM

More info (for those not using proxy)

Quote:

Isn't compreg.dat re-created anytime you install a new plugin/extension installed ? and wouldn't that overwrite the old file with the commented out line (not sure if FF respects the readonly attribute either, a la cookies.txt)... I haven't tested this as I haven't had the time and as i'm not really all that concerned with the IDN issue (based on my browsing habits)...

Quote:

well i got a chance to test... and unless u make the file readonly the edit will be OVERwritten on new plugin/extension installation. also keeping readonly may prevent your newly installed extension/plugin from registering properly... SO... make sure reedit the file after extension/plugin installation....

lynchknot · #14 February 8th, 2005, 11:36 PM

Maybe this needs it's own thread? I don't know but anyway, i'm using this and it works wonderfully so i'm posting:

Quote:

Originally Posted by Serlio

Another temporal workaround:

1. Install the extension Greasemonkey

2. Don't forget to restart Firefox to complete the extension installation.

3. Right click this link (DON'T FOLLOW THE LINK): IDN patch script and click "Install User Script..."

4. A window will appear. Press OK.

Finished. It will raise an alert when the URL contains IDN characters.

English language is not my best, so translation errors advices will be welcome

Thanks Serlio, looks interesting.

**edit - wonderful. you can still visit site but are warned (Japanese sites - or sites that use IDN characters work - instead of disabling IDN altogether)

http://img239.exs.cx/img239/4042/warn1io.jpg

Kye-U · #15 February 9th, 2005, 12:23 AM

Looks good! I've fixed up the english a bit:

Code:

(function (){
    var hr=document.location.href;
    var alerta=false;
    
    for (var i=0; i<hr.length; i++) {
    
        if ((hr.charCodeAt(i)>128) && (!alerta)) {
        
            alert("Phishing Alert!\nThe URL of this page contains IDN characters. It is most likely that the page displayed is not the one you believe you are visiting. It is recommended to exit this page unless you are completely sure about the authenticity of this page.");
            
            alerta=true;
            
        }
    
    }
})();

You can update it in:

C:\Documents and Settings\NAME\Application Data\Mozilla\Firefox\Profiles\

.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}\chrome\greasemonkey\content\scripts\1107926373489

Also I wrote another Proxomitron filter to kill a connection to a spoofed site:

Code:

[Patterns]
Name = "IDN "xn--" URL Remover [Kye-U]"
Active = TRUE
URL = "(*.|)xn--"
Limit = 1
Match = "?"
Replace = "\k"
          "<b><font face="sans-serif" color="Red" size="6">Connection Killed - Proxomitron</font>"
          "<br><br><font face="sans-serif" color="Red" size="3">This is an <b>IDN Spoofed</b> Site!"
          "<br><br>Real URL: \u</font></b>"

#16 February 9th, 2005, 12:30 AM

Agreed

Nice find lynchknot

Thanks

Thanks too Kye-U ... I'll up date it in a moment

Steve

Edit: Updated Screen Shot ... after editing the script ... Screen Shot now showing Kye-U's language update.

Kye-U · #17 February 9th, 2005, 12:34 AM

I find it great when web users come together and fight against browser vulnerabilities and exploits ^_^

Dog, it's just some minor changes

BTW, here's something else I stumbled on at DSLReports:

A fix posted on MozillaZine.org for Firefox:

Quote:

Originally Posted by KevinMillican

A simpler way of fixing this is as follows :-

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/morei...s=Windows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.

#18 February 9th, 2005, 02:01 AM

Quote:

Originally Posted by Kye-U

Dog, it's just some minor changes

Major or Minor ... every effort is to be appreciated. With thanks given accordingly

^_^

kareldjag · #20 February 9th, 2005, 08:20 AM

Hi,

I've already read your first post, Spanner.
But if someone missed it, he could be informed here.

On the next link, some pdf papers are available about web applications attacks like:

*Security Best Practice:Host Naming and URL Conventions (quite technical but very interesting),

*The Phishing Guide.

http://www.ngssoftware.com/papers.htm

Thanks for the fight against those dangerous attacks.

Regards

lynchknot · #21 February 9th, 2005, 01:40 PM

Although I do not like to have another toolbar added to my browser some may want the updated spoofstick: http://www.jarnot.com/mt/archives/20...ox_spoof_s.php

http://img204.exs.cx/img204/4094/homo4ad.png

#23 February 10th, 2005, 03:01 AM

Quote:

Originally Posted by kareldjag

Hi,

On the next link, some pdf papers are available about web applications attacks like:

*Security Best Practice:Host Naming and URL Conventions (quite technical but very interesting),

*The Phishing Guide.

http://www.ngssoftware.com/papers.htm

Thanks for the fight against those dangerous attacks.

Regards

Nice links. Not that technical really, I think it should be accessible to most people on this forum.

kareldjag · #24 February 10th, 2005, 04:37 AM

Hi,

***I know there's many advanced users on this forum.
But i always have a thought for newbies and classicals users.

***It's difficult to prevent those kind of attacks.

Spoofstick is not a radical solution.It's also possible to "spoof" it!

It's also the same for DNS, TCP, IP, UDP, ARP, URL...

What a great world Web where everything is spoofed!

The only positive thing is that :the more advanced is the attack, the less frequent she is (particularly against home users).

Regards

#25 February 10th, 2005, 08:01 AM

Quote:

Originally Posted by Spanner intheWorks

Hi kareldjag, glad you've read it and done, n Yeah it DOES work doesn't it ! It's my Pleasure to be the first to bring it ppls attention on here at Wilders ! And to bring a sigh of relief to All the firefox users who also read and it ! Don't worry i'll be keeping both eyes n ears out for more tips n advice for firefox, IE and PCs to pass on to you All, and help whenever i can.

OMG. On the behalf of everyone on Wilders, I sincerely thank you for this. Without you the rest of us would never have read about this in oh about a billion other places.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search