Archive for admin

icon_firefox[CVE-2017-5451] Addressbar spoofing with onblur event


Addressbar spoofing with onblur event

https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5451


Announced: April 19, 2017
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox
Fixed in: Firefox 53


  • Description :

A mechanism to spoof the addressbar through the user interaction on the addressbar and the onblur event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar.


Vulnerability demonstration (video):


icon_firefox[CVE-2017-5452] Addressbar spoofing during scrolling with editable content on Firefox for Android


Addressbar spoofing during scrolling with editable content on Firefox for Android

https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5452


Announced: April 19, 2017
Reporter: Jordi Chancel
Impact: Low
Products: Firefox
Fixed in: Firefox 53


  • Description :

Malicious sites can display a spoofed addressbar on a page when the existing location bar on the new page is scrolled out of view if an HTML editable page element is user selected.


Note: This attack only affects Firefox for Android. Other operating systems are not affected.


Vulnerability demonstration (video):


[CVE-2017-5041] Google Chrome Location Bar URL & SSL Spoofing in Omnibox


Address spoofing in Omnibox (URL & SSL Spoofing)


Announced: March 9, 2017
Reporter: Jordi Chancel
Impact: Moderate
Products: Google Chrome
Fixed in: Google Chrome 57.0.2987.98


  • Description :

Google Chrome before 57.0.2987.98 does not properly handle ********, which allows remote attackers to spoof the Location Bar (URL and SSL indicator) via unspecified vectors.


Note: This issue also affects Google Chrome for iOS.


Vulnerability demonstration (video):


icon_firefox[CVE-2017-5394] Android location bar spoofing using fullscreen and JavaScript events


Android location bar spoofing using fullscreen and JavaScript events


Announced: January 24, 2017
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox
Fixed in: Firefox 51


  • Description :

A location bar spoofing attack where the location bar of loaded page will be shown over the content of another tab due to a series of JavaScript events combined with fullscreen mode.


Note: This issue only affects Firefox for Android. Other operating systems are not affected.


Vulnerability demonstration (video):


icon_firefox[CVE-2017-5395] Android location bar spoofing during scrolling


Android location bar spoofing during scrolling


Announced: January 24, 2017
Reporter: Jordi Chancel
Impact: Low
Products: Firefox
Fixed in: Firefox 51


  • Description :

Malicious sites can display a spoofed location bar on a subsequently loaded page when the existing location bar on the new page is scrolled out of view if navigations between pages can be timed correctly.


Note: This issue only affects Firefox for Android. Other operating systems are not affected.


Vulnerability demonstration (video):


icon_firefox[CVE-2016-5298] SSL indicator can mislead the user about the real URL visited


SSL indicator can mislead the user about the real URL visited


Announced: November 15, 2016
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox
Fixed in: Firefox 50


  • Description :

Security researcher Jordi Chancel reported a mechanism where disruption of the loading of a new web page can cause the previous page’s favicon and SSL indicator to not be reset when the new page is loaded.


Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected.


Vulnerability demonstration (video):


icon_firefox[CVE-2016-2822] Addressbar spoofing though the SELECT element


Addressbar spoofing though the SELECT element


Announced: June 7, 2016
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox, Firefox ESR
Fixed in: Firefox 47, Firefox ESR 45.2

  • Description :

Security researcher Jordi Chancel reported a method to spoof the contents of the addressbar. This uses a persistent menu within a <select> element, which acts as a container for HTML content and can be placed in an arbitrary location.
When placed over the addressbar, this can mask the true site URL, allowing for spoofing by a malicious site.


  • Introduction :

Voici encore une vulnérabilité mélangeant ClickJacking et Location Bar Spoofing.
Dans mes recherches visant a vérifier la correction exhaustive d’une plus ancienne vulnérabilité que j’avais reportée sur le navigateur Web Mozilla Firefox (MFSA-2013-94), j’ai premièrement vérifié si cette vulnérabilité n’avait pas été malencontreusement réactivée, j’ai alors donc déterminé que le code source de la précédente preuve de concept ne permettait plus l’exploitation désiré qui avait donnée lieu cette précédente vulnérabilité, cependant la modification de l’élément <select> de l’encienne preuve de concept permettait une vulnérabilité tout à fait similaire.
Les modifications nécessaires à la mise en œuvre d’une nouvelle preuve de concept étaient d’utiliser plusieurs éléments <option> et d’y insérer l’image d’un indicateur de connexion sécurisé et l’URL d’un site ciblé permettant ainsi le Spoofing d’URL et d’indicateur SSL.

Cette nouvelle vulnérabilité tout comme la précédente sitée ci-dessus permet également de mener a bien des attaques de type ClickJacking sur l’affichage de multiple boites de dialogue, exemple: GeoLocation ; WebRTC (…) , permettant ainsi le vole de donnée concernant la géolocalisation de la personne piégée , prendre le contrôle de la webcam et du microphone de la personne piégée (et bien d’autres actions malveillantes) en incitant l’utilisateur a éffectuer un double-clique sur un bouton factice placé dans l’un des éléments <option> situé dans la même zone que le bouton de validation de la boite de dialogue q’un pirate informatique souhaiterait que l’utilisateur préalablement piégé par l’attaque d’usurpation d’URL et d’indicateur de certificat sécurisé presse sans s’en rendre compte (via le double-clique devant être effectué).

  • Explication :

1. Dans Mozilla Firefox, l’élément <select> peut contenir du code HTML et par conséquent contenir une image. il suffit donc de mettre en place l’image d’une fausse barre de location dans cet élément et définir que l’affichage de celui-ci se placera au dessus de la barre de location réelle.

concept en image :

 

2. Maintenant, voici quelques brèves explications supplémentaires portant sur la possibilité d’effectuer des attaques de type ClickJacking.
Comme démontré ci-dessus, l’élément <select> surplombe la réelle barre de location, il est donc aussi possible de couvrir l’affichage d’une demande d’activation de la webcam et du microphone ou encore la demande de géolocalisation et donc faire en sorte que celles-ci s’affiche de manière totalement invisible. Il ne reste plus qu’a inciter l’utilisateur a double cliquer sur l’élément <select> a l’emplacement ou se trouve le bouton de confirmation de la boite de dialogue caché. Pour être unpeu plus précis, le premier clique aura pour effet d’enlever l’affichage de l’élément <select> et par la suite cliquer sur le bouton de confirmation via le 2ème clique.

Concept en image :


Vulnerability demonstration (video):


icon_firefox[CVE-2016-1967] Same-origin policy violation using perfomance.getEntries and history navigation with session restore


Same-origin policy violation using perfomance.getEntries and history navigation with session restore


Announced: March 8, 2016
Reporter: Jordi Chancel
Impact: High
Products: Firefox
Fixed in: Firefox 45


Description

Security researcher Jordi Chancel discovered a variant of Mozilla Foundation Security Advisory 2015-136 which was fixed in Firefox 43. In the original bug, it was possible to read cross-origin URLs following a redirect if perfomance.getEntries() was used along with an iframe to host a page. Navigating back in history through script, content was pulled from the browser cache for the redirected location instead of going to the original location.

In the newly reported variant issue, it was found that if a browser session was restored, history navigation would still allow for the same attack as content was restored from the browser cache. This is a same-origin policy violation and could allow for data theft.


Vulnerability demonstration (video):


icon_firefox[CVE-2016-1941] Delay following click events in file download dialog too short on OS X


Delay following click events in file download dialog too short on OS X


Announced: January 26, 2016
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox
Fixed in: Firefox 44


Description

Security researcher Jordi Chancel reported an issue on OS X where the delay between the download dialog getting focus and the button getting enabled was too short. If an attacker is able to induce the user to double-click in a specific location, they can then pass the second click through to the dialog below, leading to unintentional actions such as the running of downloaded software.


Vulnerability demonstration (video):


icon_firefox[CVE-2016-1943] Location Bar Spoofing Risk – scrollto leads to that the location bar is hidden


Location Bar Spoofing Risk – scrollto leads to that the location bar is hidden


Announced: January 26, 2016
Reporter: Jordi Chancel
Impact: High
Products: Firefox
Fixed in: Firefox 44


Description

Security researcher Jordi Chancel reported two issues involving addressbar spoofing.

The first of these is a « high » rated security issue on on Firefox for Android involving the scrollTo() method to scroll a page. In this attack, scrollTo() is used to scroll the addressbar out of view while replacing it with a fake addressbar created by the attacker when a new tab is opened.


Vulnerability demonstration (video):


icon_firefox[CVE-2016-1942] Location bar continues displaying wyciwyg URI and resource URI if user tries to navigate to it manually


Location bar continues displaying wyciwyg URI and resource URI if user tries to navigate to it manually


Announced: January 26, 2016
Reporter: Jordi Chancel
Impact: Low
Products: Firefox
Fixed in: Firefox 44


Description

Security researcher Jordi Chancel reported two issues involving addressbar spoofing.
The second flaw is a « low » rated security issue affecting Desktop Firefox. In this attack, when a URL which is invalid for an internal protocol is pasted into the addressbar, the addressbar contents may be manipulated to show the location of an arbitrary website instead of the one currently loaded. This issue is mitigated by the protocol being prepended to the displayed URL, making the address less likely to be confused with the appended URL.


Vulnerability demonstration (video):


icon_firefox[CVE 2015-7186] Reading sensitive profile files through local HTML file on Android


Reading sensitive profile files through local HTML file on Android


Announced: November 3, 2015
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox
Fixed in: Firefox 42


Description

Security researcher Jordi Chancel reported an issue in Firefox for Android where
a locally saved HTML file could use file: URIs to trigger the download of
additional files or opening of cached profile data without user awareness.


This issue only affects Firefox for Android. Firefox on other operating systems is not affected.


Vulnerability demonstration (video):