Daily Archives: 8 February 2005

All Your Sp00fs Be P0wn3d by US

Alert 1! Alert 1! Action Message Follows

There is a web-based spoof vulnerability that works on
Opera 7.54u2 and Firefox 1.0, but not IE 6/SP2. The proof of
concept comes from Shmoocon (advisory here and
proof web page here). The
vulnerability allows anyone to spoof *any* domain, including
those with SSL certificates (you know, those with https://
addresses). While viewing the certificate would show the
actual, rather than spoofed site, how many people actually
view the certificates to check the URL?

The spoof also fools Spoofstick
so using that utility will not help you. On SSL sites, too
bad it doesn’t read the certificate and display the site
URL.

There are three workarounds (that I know of). Look at the
underlying HTML to see the actual URL. Never click on links
(either on web pages or emails). Instead, type the URL
yourself into your browser. Or lastly, a poster in the
Firefox support forum says to do the following if you are
using Firefox:

The workaround for Firefox seems to be an edit to your
compreg.dat.

For windows
c:\Documents and Settings\$USER\Application
Data\Mozilla\Firefox\Profiles\default.random\compreg.dat

For UNIX
~/.mozilla/firefox/default.random/compreg.dat

Removing the line that references IDN makes the problem
go away. Using Find, there was a single reference for the
UNIX host and 2 for the Win32 host [I found only one in
mine -ed]. Removing the lines and restarting the browser
makes the attack fail regardless of the
about:config/userprefs.js value.

Here’s an example entry.

{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

Cheers,
-BeesT

Quote:
It works. After making a backup of compreg.dat i
placed

#

to remark out the line BeesTea See Profile mentioned.
Exploit fails

Quote:
Confirmed on Linux, also.

I can confirm that implementing the above (and clearing
your cache and then shutting down and restarting Firefox)
will keep the browser from going to the spoofed URL but all
you get is an error message saying the paypal.com site cannot
be found. I guess that’s better than nothing but it’s hardly
informative unless you remember this is telling you a site
may be spoofed.

UPDATE: You also need to type in “about:config” in Firefox and find the reference to IDN (use the filter to find the instance of idn). Once found, change the default from “true” to false” (just double click on the line to bring up the choice).

Over at the
Opera Forum on this problem
, Opera is essentially saying
it’s not their problem to fix and even if they did, the
solution would keep people from using, for example, Greek or
Russian sites (sounds good to me – ed.).

I dunno what I’m going to do about Opera. I understand
their point-of-view. But. If companies have learned nothing
from Microsoft’s stumbling examples, then learn this: IT’S
THE SECURITY, STUPID.

Mozilla browser showing spoofed URL.

Advertisements

Four on the Floor

So what do you do when you have not one, not two, but four
iPod Shuffles? You create the iPod
Array
of course.

4 iPods attahed to hub.

Aloha!