Mozilla / Firefox / Camino IDN Spoofing Security Issue

Discussion in 'other security issues & news' started by ronjor, Feb 7, 2005.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Secunia
    Netscape
    Opera
     
  2. dog

    dog Guest

  3. dog

    dog Guest

    Hi All,

    Here's a Work around for FireFox: Use about:config and set 'network.enableIDN' : False

    And run the Test again. ;)

    EDIT: This Work Around will reset after you close FF, and leave you unprotected when FF is next launched. Read lynchknot Post Below, for a better solution.

    Thanks lynchknot

    HTH,

    Steve
     
    Last edited by a moderator: Feb 8, 2005
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
  5. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    does not work - this does: http://forums.mozillazine.org/viewtopic.php?p=1216193&highlight=#1216193

    http://www.dslreports.com/forum/remark,12603456~mode=flat~start=20#12607819

    http://img237.exs.cx/img237/1719/pay0nw.jpg
     
  6. dog

    dog Guest

    It works for me (Use about:config and set 'network.enableIDN' : False) ... See ScreenShot (diect connection / not using Proxomitron)

    Steve
     

    Attached Files:

  7. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    It only works once. Shut down Firefox all the way and try again (it's been reported as only works per session)

    -

    Unless:
     
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    'network.enableIDN' : False It doesn't work for me in firefox or mozilla 1.7.5
     
  9. dog

    dog Guest

    Thanks lynchknot ... You are correct. I'll use the method you posted.

    Thanks

    Steve

    Ps. I edited my original Post regard the work around to reflect this.
     
  10. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    well, I'm only reporting what I see - credit goes to "BeesTea" at dslreports :cool:
     
  11. dog

    dog Guest

    Last edited by a moderator: Feb 8, 2005
  12. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Up for me ^_^

    Sorry, my server is up and down like a yo-yo. :blink:

    I don't mind ;)

    Thanks for including my pack into this topic :-*

    For those who just want the Proxomitron filter to remove this exploit, here it is:

    Code:
    [Patterns]
    Name = "Spoofed Address Exploit [Kye-U]"
    Active = TRUE
    URL = "(^$TYPE(css))"
    Bounds = "($NEST(<(([a-z]+{1,*})|*=\s),</([a-z]+{1,*})>)|$NEST(<(([a-z]+{1,*})|*=\s),>))"
    Limit = 1024
    Match = "\0://(\1.([a-z]+{2,4})|*.*/)((?%00|(((%|\&#)0[01])+{1,2})))[^/]++[@|%40]\2"
            "|\0://(\1.([a-z]+{2,4})|*.*/)%2F((%20|\s)+{1,*})[^/]++.\2"
            "|\0://(\1.([a-z]+{2,4})|*.*/)%(2F|01)[@|%40]\2"
            "|\0://(\w.|)\w\&#*;\w.([a-z]+{2,4})*"
            "|\0://(*|)xn--*.([a-z]+{2,4})*"
            "$SET(\9=Think you're on Microsoft but you're on Yahoo? This filter will prevent the threat of such a situation."
            ""
            "http://www.securityfocus.com/bid/10517/info/"
            "http://secunia.com/advisories/10395/"
            "http://www.securityfocus.com/bid/10532/info/)"
    Replace = "<strong>[URL Spoofing Exploit Removed]</strong>"
              "$ALERT(URL Spoofing Vulnerability Detected and Removed on:\n\n\u)"
     
  13. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    More info (for those not using proxy)

     
  14. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Maybe this needs it's own thread? I don't know but anyway, i'm using this and it works wonderfully so i'm posting:

    Thanks Serlio, looks interesting.

    **edit - wonderful. you can still visit site but are warned (Japanese sites - or sites that use IDN characters work - instead of disabling IDN altogether)

    http://img239.exs.cx/img239/4042/warn1io.jpg
     
  15. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Looks good! I've fixed up the english a bit:

    Code:
    (function (){
        var hr=document.location.href;
        var alerta=false;
        
        for (var i=0; i<hr.length; i++) {
        
            if ((hr.charCodeAt(i)>128) && (!alerta)) {
            
                alert("Phishing Alert!\nThe URL of this page contains IDN characters. It is most likely that the page displayed is not the one you believe you are visiting. It is recommended to exit this page unless you are completely sure about the authenticity of this page.");
                
                alerta=true;
                
            }
        
        }
    })();
    You can update it in:

    C:\Documents and Settings\NAME\Application Data\Mozilla\Firefox\Profiles\o_Oo_O.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}\chrome\greasemonkey\content\scripts\1107926373489

    Also I wrote another Proxomitron filter to kill a connection to a spoofed site:

    Code:
    [Patterns]
    Name = "IDN "xn--" URL Remover [Kye-U]"
    Active = TRUE
    URL = "(*.|)xn--"
    Limit = 1
    Match = "?"
    Replace = "\k"
              "<b><font face="sans-serif" color="Red" size="6">Connection Killed - Proxomitron</font>"
              "<br><br><font face="sans-serif" color="Red" size="3">This is an <b>IDN Spoofed</b> Site!"
              "<br><br>Real URL: \u</font></b>"
     
  16. dog

    dog Guest

    Agreed :) Nice find lynchknot ;) Thanks

    Thanks too Kye-U ... I'll up date it in a moment ;)

    Steve

    Edit: Updated Screen Shot ... after editing the script ... Screen Shot now showing Kye-U's language update. ;)
     

    Attached Files:

    Last edited by a moderator: Feb 9, 2005
  17. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I find it great when web users come together and fight against browser vulnerabilities and exploits ^_^

    Dog, it's just some minor changes :D

    BTW, here's something else I stumbled on at DSLReports:

    A fix posted on MozillaZine.org for Firefox:

     
    Last edited: Feb 9, 2005
  18. dog

    dog Guest

    Major or Minor ... every effort is to be appreciated. With thanks given accordingly ;)

    ^_^
     
  19. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    I've already read your first post, Spanner.
    But if someone missed it, he could be informed here. ;)

    On the next link, some pdf papers are available about web applications attacks like:

    *Security Best Practice:Host Naming and URL Conventions (quite technical but very interesting),

    *The Phishing Guide.

    http://www.ngssoftware.com/papers.htm

    Thanks for the fight against those dangerous attacks.

    Regards
     
  20. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
  21. Ronin

    Ronin Guest

    Nice links. Not that technical really, I think it should be accessible to most people on this forum.
     
  22. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    ***I know there's many advanced users on this forum.
    But i always have a thought for newbies and classicals users. ;)

    ***It's difficult to prevent those kind of attacks.

    Spoofstick is not a radical solution.It's also possible to "spoof" it! ;)
    It's also the same for DNS, TCP, IP, UDP, ARP, URL...

    What a great world Web where everything is spoofed! :( ;)

    The only positive thing is that :the more advanced is the attack, the less frequent she is (particularly against home users).

    Regards
     
  23. Ronin

    Ronin Guest

    OMG. On the behalf of everyone on Wilders, I sincerely thank you for this. Without you the rest of us would never have read about this in oh about a billion other places. :)
     
  24. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    HI Ronin, glad to see you are sharp again today :D

    you must be one extremely focussed guy :)
     
Loading...
Thread Status:
Not open for further replies.