[Opera Security Advisory DNA-18345] Address bar spoofing with downloads


Advisory: Address bar spoofing with downloads


UPDATE Link: http://www.opera.com/blogs/security/2014/05/security-changes-opera-21/


Announced: May 6, 2014
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 21


Description

This unrelated bug only occurred when the user dragged and dropped a URL into the address bar, which started a download. The address bar would then be right aligned, showing the wrong end of the address. This could allow a specially crafted URL to show what appeared to be a domain name, but which was actually path data. It would be missing the domain highlight, but may be enough to fool some users.
Simultaneously, it would leave the address bar in edit state, showing the download address instead of the address of the currently displayed page. Since the user may not realise that they had changed the address and put the address bar into edit state, we have now changed this to show the address of the displayed page. We’ll go into more details about this issue in a future blog post.

Opera’s Response

Opera Software has released Opera 21, where this issue has been fixed.


Credits

Reported by Jordi Chancel.

icon_firefox[CVE 2014-1480] UI selection timeout missing on download prompts


  • Introduction :

La mise à jour du Navigateur Web Mozilla Firefox vers la version 27 à corrigée une vulnérabilité que j’avais dernièrement reporté et permettant d’effectuer des attaques de ClickJacking sur la boite de dialogue d’exécution et de téléchargement de fichiers.

Avec cette vulnérabilité il est donc possible d’exécuter des fichiers potentiellement dangereux après leur téléchargement via une attaque de ClickJacking.

  • Conclusion / Détails supplémentaires :

Sur Mac Os X le danger est plus élevé du fait qu’il est possible d’exécuter des fichiers DMG pouvant prendre l’apparence d’une fenêtre de Firefox ouverte sur une page à l’aspect sécurisé et contenant des fichiers dangereux pouvant être exécutés par l’utilisateur pensant donc que ces fichiers sont des liens web destiner à mettre à jour Firefox (plusieurs autres possibilités existent comme par exemple le téléchargement et l’exécution d’un fichier quelconque visant a exploiter une vulnérabilité d’exécution de code arbitraire localement par le biais d’une faille se trouvant sur le logiciel qui permet a ce fichier d’être ouvert [.doc/.pdf/…] ).

  • Description

Security researcher Jordi Chancel reported that the dialog for saving downloaded files did not implement a security timeout before button selections were processed. This could be used in concert with spoofing to convince users to select a different option than intended, causing downloaded files to be potentially opened instead of only saved in some circumstances.

  • Vidéo de démonstration :


Security Researcher Jordi Chancel

[CVE-2014-1870] Address bar spoofing on Mac platform with drag and drop


Advisory: Address bar spoofing on Mac platform with drag and drop


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1870


UPDATE Link: http://www.opera.com/blogs/security/2014/01/security-changes-features-opera-19/


Announced: January 31, 2014
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 19


Description

Opera before 19 on Mac OS X allows user-assisted remote attackers to spoof the address bar via vectors involving a drag-and-drop operation.

Opera’s Response

Opera Software has released Opera 19, where this issue has been fixed.


Credits

Reported by Jordi Chancel.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

icon_firefox[CVE 2013-5593] Spoofing addressbar though SELECT element


  • Introduction :

Voici une vulnérabilité mélangeant ClickJacking et Location Bar Spoofing.
Dans mes recherches suivant la correction d’une plus ancienne vulnérabilité que j’avais reporté sur le navigateur Mozilla Firefox (MFSA 2012-75), je me suis alors pencher sur le fait que l’élément <select> pourrait sans doute permettre de mener des attaques de Spoofing d’URL et d’indication de connexion sécurisé et permettre parallèlement démontrer qu’il serait alors possible de mener a bien des attaques de type ClickJacking sur l’affichage d’une boite de dialogue WebRTC (permettant ainsi de prendre le contrôle de la webcam et du microphone d’un utilisateur piégé via une page web spécialement conçue exploitant cette vulnérabilité).

  • Explication :

1. Dans Mozilla Firefox, l’élément <select> peut contenir du code HTML et par conséquent contenir une image. il suffit donc de mettre en place l’image d’une fausse barre de location dans cet élément et définir que l’affichage de celui-ci se placera au dessus de la barre de location réelle.

concept en image :

faklocffxmsfa2013

 

2. Maintenant, voici quelques brèves explications supplémentaires portant sur la possibilité d’effectuer des attaques de type ClickJacking.
Comme démontré ci-dessus, l’élément <select> surplombe la réelle barre de location, il est donc aussi possible de couvrir l’affichage d’une demande d’activation de la webcam et du microphone ou encore la demande de géolocalisation et donc faire en sorte que celles-ci s’affiche de manière totalement invisible. Il ne reste plus qu’a inciter l’utilisateur a double cliquer sur l’élément <select> a l’emplacement ou se trouve le bouton de confirmation de la boite de dialogue caché. Pour être unpeu plus précis, le premier clique aura pour effet d’enlever l’affichage de l’élément <select> et par la suite cliquer sur le bouton de confirmation via le 2ème clique.

Concept en image :

faklocffxmsfa2013259472111428597729-few6

 

  • Vidéo de démonstration :

  • Description

Security researcher Jordi Chancel discovered a method to put arbitrary HTML content within <select> elements and place it in arbitrary locations. This can be used to spoof the displayed addressbar, leading to clickjacking and other spoofing attacks.

 

Security Researcher Jordi Chancel

icon_firefox[CVE 2012-4200] Location Bar URL and SSL Spoofing

cve2012-4200


  • Introduction :

Parmi mes recherches en vulnérabilité sur les web browser, il m’a été donné de trouver de multiple spoofing de type « Location Bar Spoofing » donc certain on un impacte global haut voir critique pour les plus dangereux tandis que d’autres restent modérés ou même faibles.

Ce spoofing découvert dans mes recherches sur le navigateur web Mozilla Firefox présente un impacte haut du fait qu’il ne nécessite qu’une interaction minime de la part de l’utilisateur et permet également d’usurper l’adresse URL d’un site ciblé en plus de son indicateur de connexion sécurisé.

  • Détails supplémentaire :

Ce Spoofing d’URL et d’indicateur de connexion sécurisé utilise plusieurs fonction JavaScript utilisé dans un ordre bien précis. Premièrement un URL Data: sera ouvert dans un nouvel onglet via window.open contenant un lien hypertexte destiner à ouvrir une seconde fois un onglet (toujours via window.open) sur l’adresse du site ciblé , la fonction onblur va alors être activer au changement d’onglet et produire la fonction Alert() tout en chargeant parallèlement un nouvel URL data: sur l’adresse ciblé. Une fois tout ceci mis en œuvre le contenu du site web ciblé sera changer par le code contenu dans l’URL data dernièrement chargé tout en gardant son URL et son indicateur de connexion sécurisé.

 

  • Vidéo de démonstration :


Security Researcher Jordi Chancel

icon_firefox[CVE 2012-3984] SELECT element persistance allows for attacks


  • Introduction :

Dans cet article je vais donner quelques détails concernant une Vulnérabilité de ClickJacking critique que j’ai découvert sur le navigateur web Mozilla Firefox permettant d’exécuter un Addon permettant de prendre le contrôle de la machine vulnérable par le biais de l’élément <select> en faisant en sorte que cette élément couvre certaine partie de la boite de dialogue d’installation de l’Addon pirate.
A. La vulnérabilité en question permettait dans un premier temps de couvrir de façon durable la barre de location, ce qui permettrait de démontré qu’avec cette vulnérabilité il serait alors possible de mener a bien une attaque de type Location Bar Spoofing.

 B. C’est en me penchant sur le fait que l’élément <select> permettrait donc de couvrir n’importe quel élément (faisant partie de la page web ou tout autre élément) que je me suis pencher sur l’exploitation de cette vulnérabilité dans le but de couvrir la boite d’installation d’un Addon XPI (permettant donc d’exécuter des malware visant a prendre le contrôle de la machine piégé par cette vulnérabilité ).

  • Explications brèves :

L’élément <select> a comme capacité de pouvoir couvrir n’importe quel élément de Mozilla Firefox étant donné que celui-ci se trouvera toujours au premier plan. Cependant il ne suffit pas d’utiliser uniquement l’élément <select>, il faut en plus que celui-ci contienne une image adéquate (permettant de simuler des parties de l’élément a couvrir) et aussi faire en sorte que celui-ci devienne persistant ( en manipulant d’autre code JavaScript & HTML permettant ainsi de mener a bien l’exploitation désirée).

  • Vidéo de démonstration :

  • Description :

Security researcher David Bloom of Cue discovered that <select> elements are always-on-top chromeless windows and that navigation away from a page with an active <select> menu does not remove this window.When another menu is opened programmatically on a new page, the original <select> menu can be retained and arbitrary HTML content within it rendered, allowing an attacker to cover arbitrary portions of the new page through absolute positioning/scrolling, leading to spoofing attacks. Security researcher Jordi Chancel found a variation that would allow for click-jacking attacks was well.

Security Researcher Jordi Chancel

[CVE-2012-6460] Truncated dialogs may be used to trick users


Advisory: Truncated dialogs may be used to trick users


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6460


UPDATE Link: http://www.opera.com/fr/security/advisory/1028


Announced: August 27, 2012
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 12.02 and Opera 11.67


Description

When an important dialog is being displayed, such as a download dialog, the entire dialog should be visible, so that the user can clearly see what the dialog’s buttons will do. In some cases, specific user interactions can cause Opera not to enforce this correctly, allowing the window to become smaller than the dialog. The edge of the window remains visible, but users may assume misleading buttons on an underlying page are part of the dialog buttons, and click on the part of the dialog’s buttons that are still visible. This can be used to cause the user to download and run executables unexpectedly, or perform other unwanted actions.

Opera’s Response

Opera Software has released Opera 12.02 and Opera 11.67, where this issue has been fixed.


Credits

I haven’t been credited for this vulnerability, because i had written a blog post which disclosed the explanation of this security bug.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2012-4143] Small windows can be used in several ways to trick users into executing downloads


Advisory: Small windows can be used in several ways to trick users into executing downloads


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4143


UPDATE Link: http://www.opera.com/fr/security/advisory/1027


Announced: August 1, 2012
Reporter: Security researcher Jordi Chancel
Impact: High
Products: Opera
Fixed in: Opera 12.01 and Opera 11.66


Description

When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up running a downloaded executable. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed.

Multiple ways of generating too small windows existed in Opera.


Opera’s Response

Opera Software has released Opera 12.01 and Opera 11.66, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2012-3558] Carefully timed reloads, redirects, and navigation can spoof the address field


Advisory: Carefully timed reloads, redirects, and navigation can spoof the address field


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3558


UPDATE Link: http://www.opera.com/fr/security/advisory/1018


Announced: June 12, 2012
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 12 and Opera 11.65


Description

The address field should always show the address of the page that is being displayed. Certain types of navigation, combined with reloads and redirects to a slowly-responding target site can cause the address field to show the target site’s address, while the attacking site is still being displayed.

Opera’s Response

Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2012-3556] A combination of clicks and key presses can lead to cross site scripting or code execution


Advisory: A combination of clicks and key presses can lead to cross site scripting or code execution


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3556


UPDATE Link: http://www.opera.com/fr/security/advisory/1020


Announced: June 12, 2012
Reporter: Security researcher Jordi Chancel
Impact: Moderate
Products: Opera
Fixed in: Opera 12 and Opera 11.65


Description

When a user double clicks on a page, they may expect the two clicks to target the same object. If a page uses the first click to open a pop-up window in a predictable location, the second click may focus parts of the new window, such as its address field. If the page can then convince the user to activate a scripted URL seeded in the address field, on a newly loaded target page within the pop-up, it can allow cross site scripting against the target page. Similar attacks could also be used against Opera’s preferences to change preferences or select executables to be run by Opera. Non-trivial social engineering would be required to ensure that the user followed the desired sequence of clicks and keypresses, at precisely the right speed, while ignoring the opening and loading of pages within the pop-up.

Opera’s Response

Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2012-3555] Hidden keyboard navigation can allow cross site scripting or code execution


Advisory: Hidden keyboard navigation can allow cross site scripting or code execution


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3555


UPDATE Link: http://www.opera.com/fr/security/advisory/1021


Announced: June 12, 2012
Reporter: Security researcher Jordi Chancel
Impact: Moderate
Products: Opera
Fixed in: Opera 12 and Opera 11.65


Description

When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up performing undesirable actions on that page. Similar attacks could also be used against Opera’s preferences to change preferences or select executables to be run by Opera. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed.

Opera’s Response

Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed. Web authors are encouraged to use the x-frame-options header, and similar clickjacking protections to ensure that their pages cannot be targeted by keyboard variations of clickjacking attacks.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

icon_firefox[CVE 2012-0474] Page load short-circuit can lead to XSS

  • Introduction :

Les spoofing de la barre de location présentent un réel danger, surtout quand celui-ci permet d’usurper à la fois l’URL et l’indicateur de connexion sécurisé. Cette vulnérabilité reporté par moi-même possède cependant d’autres possibilités comme l’a démontré Chris McGowen en reportant une variant de celle-ci permettant d’exécuter du code JavaScript sur un domaine ciblé.

  • Quelques détails :

La vulnérabilité en question se base sur une certaines fonctions JavaScript liés à la navigation qui doivent être exécuté dans un ordre bien précis.

premièrement un lien hypertexte doit être cliquer ce qui aura premièrement pour objectif de modifier l’url de type www.yyy.com par www.yyy.com#  tout en activant la fonction JavaScript location.href qui sera utilisé pour établir une redirection vers l’adresse du site web destiné a être usurpé. Pour finir, la fonction History.back() sera exécuté ce qui aura pour effet de tromper Mozilla Firefox quand à l’adresse qui est réellement visité et donc changeant l’adresse du site malveillant par l’adresse précédemment ciblé.

  • Vidéo de démonstration :


Description :

Security researchers Jordi Chancel and Eddy Bordi reported that they could short-circuit page loads to show the address of a different site than what is loaded in the window in the addressbar. Security researcher Chris McGowen independently reported the same flaw, and further demonstrated that this could lead to loading scripts from the attacker’s site, leaving users vulnerable to cross-site scripting (XSS) attacks.

Security Researcher Jordi Chancel

[CVE-2012-1925] Overlapping content can trick users into executing downloads


Advisory: Overlapping content can trick users into executing downloads


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1925


UPDATE Link: http://www.opera.com/fr/security/advisory/1011


Announced: March 26, 2012
Reporter: Security researcher Jordi Chancel
Impact: High
Products: Opera
Fixed in: Opera 11.62


Description

Dialogs such as the download dialog are usually displayed on top of page content, to ensure that the user knows that the dialog is requesting attention. In some cases, this policy was not implemented correctly in Opera, allowing certain page content to overlay the dialog. In these cases, clicking the page content causes the dialog to be clicked instead. While an attacker may not have much control over the appearance of the overlapping content, they may be able to use it to trick the user into performing harmful actions, such as running a downloaded executable.

Opera’s Response

Opera Software has released Opera 11.62, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2012-1924] Small windows can be used to trick users into executing downloads


Advisory: Small windows can be used to trick users into executing downloads


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1924


UPDATE Link: http://www.opera.com/fr/security/advisory/1010


Announced: March 26, 2012
Reporter: Security researcher Jordi Chancel
Impact: High
Products: Opera
Fixed in: Opera 11.62


Description

When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up running a downloaded executable. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed.

Opera’s Response

Opera Software has released Opera 11.62, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2012-1928] Carefully timed reloads and redirects can spoof the address field


Advisory: Carefully timed reloads and redirects can spoof the address field


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1928


UPDATE Link: http://www.opera.com/fr/security/advisory/1014


Announced: March 26, 2012
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 11.62


Description

The address field should always show the address of the page that is being displayed. In certain cases, if a target site responds slowly, reloading an attacking page and redirecting to the target page can cause the address field to show the target site’s address, while the attacking site is still being displayed.

Opera’s Response

Opera Software has released Opera 11.62, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2011-2845] URL bar spoof in history handling (URL & SSL indicator Spoofing)


Titre: Google Chrome URL bar spoof in history handling (URL & SSL indicator Spoofing)


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2845


Author: Security researcher Jordi Chancel


UPDATE Link: http://googlechromereleases.blogspot.fr/2011/10/chrome-stable-release.html


Description:

Google Chrome before 15.0.874.102 does not properly handle history data, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors.


  • Vidéo de démonstration :

Location Bar Spoofing Vulnerability with URL & SSL indicator Spoofing.


-Security Researcher Jordi Chancel

[CVE-2011-3875] URL bar spoof with drag+drop of URLs


Titre: Google Chrome Location Bar Spoofing using very long string on a web address in the location bar./URL bar spoof with drag+drop of URLs


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3875


Author: Security researcher Jordi Chancel


UPDATE Link: http://googlechromereleases.blogspot.fr/2011/10/chrome-stable-release.html


Description:

Google Chrome before 15.0.874.102 does not properly handle drag and drop operations on URL strings, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors.


  • Vidéo de démonstration :

Vidéo Exemple : Google Chrome URL Spoofing Vulnerability using Drag & Drop (User try to drag & drop a selected text into the Location Bar for use Google to search these selected words).


-Security Researcher Jordi Chancel

[CVE-2011-2848] URL bar spoof with forward button / Possible URL Bar Spoofing when history.forward() is ignored using forward button


Issue: URL bar spoof with forward button / Possible URL Bar Spoofing when history.forward() is ignored using forward button


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2848


UPDATE Link: http://googlechromereleases.blogspot.fr/2011/09/stable-channel-update_16.html


Issue 89564 http://code.google.com/p/chromium/issues/detail?id=89564


Announced: September 16, 2011
Reporter: Security researcher Jordi Chancel
Impact: Moderate
Products: Google Chrome
Fixed in: Google Chrome 14.0.835.163


Description

Google Chrome before 14.0.835.163 allows user-assisted remote attackers to spoof the URL bar via vectors related to the forward button.

Report Description

In some cases,after some window.location=’attacker’ that are used, history.forward() can be ignored.
If the user goes forward on google chrome manually,opens and closes a new tab, Location bar is spoofed


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel