Spoofing vulnerability?

Discussion in 'Firefox' started by Carmen Gauvin-O'Donnell, Feb 8, 2005.

  1. Anyone know anything about the spoofind vulnerability in non-IE browsers
    (described in the Tourbus e-mail this week?)

    I take it Mozilla is dealing with it?

    Carmen
     
    Carmen Gauvin-O'Donnell, Feb 8, 2005
    #1
    1. Advertising

  2. Carmen Gauvin-O'Donnell

    mike555 Guest

    Carmen Gauvin-O'Donnell wrote:
    > Anyone know anything about the spoofind vulnerability in non-IE

    browsers
    > (described in the Tourbus e-mail this week?)
    >
    > I take it Mozilla is dealing with it?
    >
    > Carmen


    ==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====
     
    mike555, Feb 9, 2005
    #2
    1. Advertising

  3. On 2005-02-09, mike555 <> wrote:

    > Carmen Gauvin-O'Donnell wrote:
    >> Anyone know anything about the spoofind vulnerability in non-IE

    > browsers
    >> (described in the Tourbus e-mail this week?)
    >>
    >> I take it Mozilla is dealing with it?
    >>
    >> Carmen

    >
    >==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====


    There's an easier way to fix it: type about:config in the URL bar, filter
    on "IDN" and toggle the value for "network.enableIDN" to "false"

    --

    -John ()
     
    John Thompson, Feb 10, 2005
    #3
  4. John Thompson wrote:
    > On 2005-02-09, mike555 <> wrote:
    >
    >
    >>Carmen Gauvin-O'Donnell wrote:
    >>
    >>>Anyone know anything about the spoofind vulnerability in non-IE

    >>
    >>browsers
    >>
    >>>(described in the Tourbus e-mail this week?)
    >>>
    >>>I take it Mozilla is dealing with it?
    >>>
    >>>Carmen

    >>
    >>==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====

    >
    >
    > There's an easier way to fix it: type about:config in the URL bar, filter
    > on "IDN" and toggle the value for "network.enableIDN" to "false"
    >


    This works if you are running Mozilla 1.8a6 or later, or a Firefox
    nightly build from about mid January on.

    With 1.8a5 or earlier, or the Firefox 1.0 release, most people,
    including myself, find that while changing the pref in about:config, it
    does not survive a restart of the program. The pref stays "false", but
    the prowser still fails the test page at Secunia.

    http://secunia.com/multiple_browsers_idn_spoofing_test/

    Lee
     
    Leonidas Jones, Feb 10, 2005
    #4
  5. Carmen Gauvin-O'Donnell

    Ed Mullen Guest

    Leonidas Jones wrote:

    > John Thompson wrote:
    >
    >> On 2005-02-09, mike555 <> wrote:
    >>
    >>
    >>> Carmen Gauvin-O'Donnell wrote:
    >>>
    >>>> Anyone know anything about the spoofind vulnerability in non-IE
    >>>
    >>>
    >>> browsers
    >>>
    >>>> (described in the Tourbus e-mail this week?)
    >>>>
    >>>> I take it Mozilla is dealing with it?
    >>>>
    >>>> Carmen
    >>>
    >>>
    >>> ==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====

    >>
    >>
    >>
    >> There's an easier way to fix it: type about:config in the URL bar,
    >> filter on "IDN" and toggle the value for "network.enableIDN" to "false"
    >>

    >
    > This works if you are running Mozilla 1.8a6 or later, or a Firefox
    > nightly build from about mid January on.
    >
    > With 1.8a5 or earlier, or the Firefox 1.0 release, most people,
    > including myself, find that while changing the pref in about:config, it
    > does not survive a restart of the program. The pref stays "false", but
    > the prowser still fails the test page at Secunia.
    >
    > http://secunia.com/multiple_browsers_idn_spoofing_test/
    >
    > Lee


    The simplest and best fix yet is described at:
    http://edmullen.net/Mozilla/moz_idn.html

    Tested on and works for Mozilla, Firefox, and Opera.

    --
    Ed Mullen
    http://edmullen.net
    http://edmullen.net/moz.html
    The gene pool sure could use a little chlorine.
     
    Ed Mullen, Feb 12, 2005
    #5
  6. Ed Mullen wrote:
    > Leonidas Jones wrote:
    >
    >> John Thompson wrote:
    >>
    >>> On 2005-02-09, mike555 <> wrote:
    >>>
    >>>
    >>>> Carmen Gauvin-O'Donnell wrote:
    >>>>
    >>>>> Anyone know anything about the spoofind vulnerability in non-IE
    >>>>
    >>>>
    >>>>
    >>>> browsers
    >>>>
    >>>>> (described in the Tourbus e-mail this week?)
    >>>>>
    >>>>> I take it Mozilla is dealing with it?
    >>>>>
    >>>>> Carmen
    >>>>
    >>>>
    >>>>
    >>>> ==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====
    >>>
    >>>
    >>>
    >>>
    >>> There's an easier way to fix it: type about:config in the URL bar,
    >>> filter on "IDN" and toggle the value for "network.enableIDN" to "false"
    >>>

    >>
    >> This works if you are running Mozilla 1.8a6 or later, or a Firefox
    >> nightly build from about mid January on.
    >>
    >> With 1.8a5 or earlier, or the Firefox 1.0 release, most people,
    >> including myself, find that while changing the pref in about:config,
    >> it does not survive a restart of the program. The pref stays "false",
    >> but the prowser still fails the test page at Secunia.
    >>
    >> http://secunia.com/multiple_browsers_idn_spoofing_test/
    >>
    >> Lee

    >
    >
    > The simplest and best fix yet is described at:
    > http://edmullen.net/Mozilla/moz_idn.html
    >
    > Tested on and works for Mozilla, Firefox, and Opera.
    >


    That is a good one. I found that for versions which won't hold the
    about:config mods, using Adblock's site blocking capabilities works very
    well, and it is easily reversible. Of course, you do need the Adblock
    extensions, but its become a very common one.

    Lee

    Lee
     
    Leonidas Jones, Feb 12, 2005
    #6
  7. Carmen Gauvin-O'Donnell

    Z Guest

    John Thompson wrote:
    > There's an easier way to fix it: type about:config in the URL bar, filter
    > on "IDN" and toggle the value for "network.enableIDN" to "false"


    This site claims two additional vulnerabilities in FF, one that allows a
    site to secretly change that about:config setting:

    http://habaneronetworks.com/viewArticle.php?ID=134
    ....
    Fireflashing: The description for this vulnerability demonstrates
    changes to the about:config (the configuration page for Firefox) without
    the knowledge of the computer user. An example exists that having
    about:config unknowingly under the current window that when the user
    clicks in a designated area on the form, values can be changed on the
    hidden about:config page beneath it. Thus if a malicious website had a
    game, that when you double-clicked on a certain area of the game area,
    say to move a game piece, a value could be changed to a hidden
    about:config window that had popped up under the game, without your
    knowledge.

    Of all the vulnerabilities described, the last one, 'Fireflashing' is by
    far the most serious. Just the other day, I warned on this site that a
    vulnerability in Firefox, Opera and others that utilized a hole
    Internationalized Domain Names. I instructed users on how to correct the
    problem by changing a value in about:config. If a malicious site decided
    to change that value back again, then utilize the flaw, it could prove
    quite serious.
     
    Z, Feb 12, 2005
    #7
  8. On 2005-02-12, Ed Mullen <> wrote:

    > The simplest and best fix yet is described at:
    > http://edmullen.net/Mozilla/moz_idn.html
    >
    > Tested on and works for Mozilla, Firefox, and Opera.


    How will this work if you alrady have a proxy defined in your settings? Is
    there some way to chain it to the existing proxy?

    --

    John ()
     
    John Thompson, Feb 13, 2005
    #8
  9. On 2005-02-12, Leonidas Jones <> wrote:

    > That is a good one. I found that for versions which won't hold the
    > about:config mods, using Adblock's site blocking capabilities works very
    > well, and it is easily reversible. Of course, you do need the Adblock
    > extensions, but its become a very common one.


    According to:

    http://users.tns.net/~skingery/weblog/2005/02/workaround-for-idn-spoofing-issue.html

    you can use AdBlock to filter unicode characters from urls thereby
    preventing the IDN exploit:

    1. Install the Adblock Firefox extension.
    https://update.mozilla.org/extensions/moreinfo.php?application=firefox&version=1.0&os=Windows&id=10

    2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

    3. Tick 'Site Blocking'

    4. Add the following filter :-
    /[^\x20-\xFF]/

    This will block any URL that uses characters outside the normal ASCII
    range.

    My question: in step four, is the hyphen on the first line part of the
    filter, or not?

    --

    John ()
     
    John Thompson, Feb 13, 2005
    #9
  10. John Thompson wrote:
    > On 2005-02-12, Leonidas Jones <> wrote:
    >
    >
    >>That is a good one. I found that for versions which won't hold the
    >>about:config mods, using Adblock's site blocking capabilities works very
    >>well, and it is easily reversible. Of course, you do need the Adblock
    >>extensions, but its become a very common one.

    >
    >
    > According to:
    >
    > http://users.tns.net/~skingery/weblog/2005/02/workaround-for-idn-spoofing-issue.html
    >
    > you can use AdBlock to filter unicode characters from urls thereby
    > preventing the IDN exploit:
    >
    > 1. Install the Adblock Firefox extension.
    > https://update.mozilla.org/extensions/moreinfo.php?application=firefox&version=1.0&os=Windows&id=10
    >
    > 2. Look at the Adblock 'Preferences' and go to 'Adblock Options'
    >
    > 3. Tick 'Site Blocking'
    >
    > 4. Add the following filter :-
    > /[^\x20-\xFF]/
    >
    > This will block any URL that uses characters outside the normal ASCII
    > range.
    >
    > My question: in step four, is the hyphen on the first line part of the
    > filter, or not?
    >


    /[^\x20-\xFF]/

    No it is not. The above is all you need.

    Lee
     
    Leonidas Jones, Feb 13, 2005
    #10
  11. Carmen Gauvin-O'Donnell

    Ed Mullen Guest

    John Thompson wrote:

    > On 2005-02-12, Ed Mullen <> wrote:
    >
    >
    >>The simplest and best fix yet is described at:
    >>http://edmullen.net/Mozilla/moz_idn.html
    >>
    >>Tested on and works for Mozilla, Firefox, and Opera.

    >
    >
    > How will this work if you alrady have a proxy defined in your settings? Is
    > there some way to chain it to the existing proxy?
    >


    Excellent question. I have no idea. But you could email the folks at
    Scovetta Labs (link is on my page cited above) and ask. If you get an
    answer we'd all love to see a reply here!

    --
    Ed Mullen
    http://edmullen.net
    http://edmullen.net/moz.html
    Why do people leave cars worth tens of thousands of dollars in the
    driveway and leave useless things and junk in boxes in the garage?
     
    Ed Mullen, Feb 14, 2005
    #11
  12. Hi guys!
    Yes, you can certainly chain the setting into your existing
    proxy-setup. The entire idea of using a proxy.pac file is pretty
    simple, though not many docs exist on it-- here's one:
    http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

    Here's the deal. The proxy.pac file is *just* a JavaScript file that
    your browser executes each time it loads a URL (before it actually
    loads it). The important function is:

    function FindProxyForURL(url, host) {
    }

    This function returns either the string "DIRECT", meaning, 'don't go
    through a proxy server', "PROXY host:port", or "SOCKS host:port" to go
    through a proxy server.

    What the IDNproxy.pac does is simply say:
    If the host contains any "invalid" character, then use the proxy server
    "127.0.01:9999", which your own machine, on port 9999. You obviously
    don't have a proxy server running on your own machine, so the request
    times out, and you get an error. You can easily add that check and
    redirect to the top of your own proxy.pac file for your network.

    If you're going straight to a proxy server (instead of an
    auto-configuration file), you can add a very simple change to the
    IDNproxy.pac file:

    /**
    * Proxy.pac workaround -- by Michael Scovetta
    * Scovetta Labs
    * www.scovettalabs.com/advisory/SCL-2005.002.txt
    */

    function FindProxyForURL(url, host){
    var validChars = "abcdefghijklmnopqrstuvwxyz0123456789.-";
    var lowerHost = host.toLowerCase();
    for (i=0; i<lowerHost.length; i++) {
    if (validChars.indexOf(lowerHost.charAt(i)) == -1) {
    alert('Invalid character(s) in host name.');
    return "PROXY 127.0.0.1:9999";
    }
    }

    // change this last line to your normal proxy settings
    return "PROXY YourNormalProxyServer:port";
    }

    As the link above shows, you can have a very complicated setup-- you
    can pump the request to separate proxy servers if it's FTP vs HTTP, or
    on other ports, or even specific URLs. If you've got other questions,
    you can email them to me (via the feedback form on scovettalabs.com)--
    or post it here.

    Regards,

    Michael Scovetta
    Scovetta Labs
     
    michael scovetta, Feb 14, 2005
    #12
  13. Carmen Gauvin-O'Donnell

    Ed Mullen Guest

    michael scovetta wrote:
    > Hi guys!
    > Yes, you can certainly chain the setting into your existing
    > proxy-setup. The entire idea of using a proxy.pac file is pretty
    > simple, though not many docs exist on it-- here's one:
    > http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html
    >
    > Here's the deal. The proxy.pac file is *just* a JavaScript file that
    > your browser executes each time it loads a URL (before it actually
    > loads it). The important function is:
    >
    > function FindProxyForURL(url, host) {
    > }
    >
    > This function returns either the string "DIRECT", meaning, 'don't go
    > through a proxy server', "PROXY host:port", or "SOCKS host:port" to go
    > through a proxy server.
    >
    > What the IDNproxy.pac does is simply say:
    > If the host contains any "invalid" character, then use the proxy server
    > "127.0.01:9999", which your own machine, on port 9999. You obviously
    > don't have a proxy server running on your own machine, so the request
    > times out, and you get an error. You can easily add that check and
    > redirect to the top of your own proxy.pac file for your network.
    >
    > If you're going straight to a proxy server (instead of an
    > auto-configuration file), you can add a very simple change to the
    > IDNproxy.pac file:
    >
    > /**
    > * Proxy.pac workaround -- by Michael Scovetta
    > * Scovetta Labs
    > * www.scovettalabs.com/advisory/SCL-2005.002.txt
    > */
    >
    > function FindProxyForURL(url, host){
    > var validChars = "abcdefghijklmnopqrstuvwxyz0123456789.-";
    > var lowerHost = host.toLowerCase();
    > for (i=0; i<lowerHost.length; i++) {
    > if (validChars.indexOf(lowerHost.charAt(i)) == -1) {
    > alert('Invalid character(s) in host name.');
    > return "PROXY 127.0.0.1:9999";
    > }
    > }
    >
    > // change this last line to your normal proxy settings
    > return "PROXY YourNormalProxyServer:port";
    > }
    >
    > As the link above shows, you can have a very complicated setup-- you
    > can pump the request to separate proxy servers if it's FTP vs HTTP, or
    > on other ports, or even specific URLs. If you've got other questions,
    > you can email them to me (via the feedback form on scovettalabs.com)--
    > or post it here.
    >
    > Regards,
    >
    > Michael Scovetta
    > Scovetta Labs
    >


    Michael, thank you for this post. Of all the various workarounds for
    this vulnerability yours is, in my estimation, the simplest and least
    intrusive, and the most easily reversed once a "fixed" release of the
    Mozilla-based browsers come out. Your contribution is much appreciated.

    FYI, I have included your "fix" on my Web pages
    (http://edmullen.net/Mozilla/moz_idn.html). I'll update it tomorrow to
    reflect the update in this post.

    --
    Ed Mullen
    http://edmullen.net
    http://edmullen.net/moz.html
    A bird in the hand makes it difficult to blow your nose.
     
    Ed Mullen, Feb 14, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark

    Cisco router spoofing?

    Mark, Jul 17, 2003, in forum: Cisco
    Replies:
    6
    Views:
    4,108
  2. hari
    Replies:
    0
    Views:
    736
  3. Javier
    Replies:
    3
    Views:
    568
  4. Ivan Ostreš

    Anti-spoofing access-lists

    Ivan Ostreš, Feb 26, 2005, in forum: Cisco
    Replies:
    4
    Views:
    8,501
    Barry Margolin
    Feb 27, 2005
  5. BRI Spoofing

    , Sep 19, 2005, in forum: Cisco
    Replies:
    3
    Views:
    3,558
    John Agosta
    Sep 19, 2005
Loading...

Share This Page