Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

• Previous message: Peter Besenbruch: "Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing"
• In reply to: Stephen Samuel: "[Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 31 Jul 2004 10:40:45 -0400
To: Stephen Samuel <samuel@bcgreen.com>

Has anyone tried the proof of concept with a real ssl cert and get it working?

I just tried it using two different ssl urls and the page only
redirected me to the proper site. I did not see the output generated
by document.writeln even after viewing the source.

Can anyone confirm this? I haven't seen any mention of it on bugzilla either.

Im using:

0.9.2 on Windows2k

On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <samuel@bcgreen.com> wrote:
> Has this been posted to bugilla????
>
> E.Kellinis wrote:
> > #########################################
> > Application: Mozilla Firefox
> > Vendors: http://www.mozilla.com
> > Version: 0.9.1 / 0.9.2
> > Platforms: Windows
> > Bug: Certificate Spoofing (Phishing)
> > Risk: High
> > Exploitation: Remote with browser
> > Date: 25 July 2004
> > Author: Emmanouel Kellinis
> > e-mail: me@cipher(dot)org(dot)uk
> > web: http://www.cipher.org.uk
> > List : BugTraq(SecurityFocus)/ Full-Disclosure
> > #########################################
> >
> >
> > =======
> > Product
> > =======
> > A popular Web browser,good alternative of IE and
> > "The web browser" for linux machines,
> > used to view pages on the World Wide Web.
> >
> > ===
> > Bug
> > ===
> >
> > Firefox has caching problem, as a result of that someone can
> > spoof a certificate of any website and use it as his/her own.
> > The problem is exploited using onunload inside < body> and
> > redirection using Http-equiv Refresh metatag,document.write()
> > and document.close()
> >
> > First you direct the redirection metatag to the website
> > of which you want to spoof the certificate, then inside
> > the < body> tag you add onulnoad script so you can control
> > the output inside the webpage with the spoofed certificate.
> >
> > After that you say to firefox, as soon as you unload this page
> > close the stream, aparently the stream you close is
> > the redirection website, you do that with
> > document.close().
> >
> > Now you can write anything you want , you do that
> > using document.write(). After writing the content of you choice
> > you close the stream again , usually firefox wont display your content,
> > although if you check the source code you see it , so the last thing
> > is to refresh the new page (do that using window.location.reload()),
> > after that you have your domain name in the url field , your content
> > in the browser and the magic yellow Lock on the bottom left corner,
> > if you pass your mouse over it you will see displayed the name of
> > the website you spoofed the certificate, if you double click on it you
> > will check full information of the certificate without any warning !
> >
> > You dont need to have SSL in your website ! it will work with
> > http.
> >
> > Additional using this bug malicious websites can bypass content
> > filtering using SSL properties.
> >
> >
> > =====================
> > Proof Of Concept Code
> > =====================
> >
> > < HTML>
> > < HEAD>
> > < TITLE>Spoofer< /TITLE>
> > < META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
> > < /HEAD>
> > < BODY
> > onunload="
> > document.close();
> > document.writeln('< body onload=document.close();break;>
> > < h3>It is Great to Use example's Cert!');
> >
> > document.close();
> > window.location.reload();
> > ">
> > < /body>
> >
> >
> > =========================================================
> > *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
> > =========================================================
>
> --
> Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
> http://www.bcgreen.com/~samuel/
> Powerful committed communication. Transformation touching
> the jewel within each person and bringing it to light.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

-- 
http://scott.telnetd.com/loco/

• Previous message: Peter Besenbruch: "Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing"
• In reply to: Stephen Samuel: "[Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Is that secure : ... for that URL (via checking for a valid domain name certificate and the ... when they discovered that using SSL cut their thruput/performance ... The scenario about the website that you thought you were ... "payment" URL (for some website that the attackers were able to obtain ... (comp.security.misc) Re: Secure web page? ... All SSL ensures is that the transport of data between your web browser ... matched the domain name in the domain name digital certificate ... entered as part of connecting to the website) ... ... domain name connection to the webserver that the user entered ... ... (alt.computer.security) Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing ... Has anyone tried the proof of concept with a real ssl cert and get it working? ... >> First you direct the redirection metatag to the website ... >> the output inside the webpage with the spoofed certificate. ... (Full-Disclosure) Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing ... Has anyone tried the proof of concept with a real ssl cert and get it working? ... >> First you direct the redirection metatag to the website ... >> the output inside the webpage with the spoofed certificate. ... (Bugtraq) Re: Trying to create a pass through for SSL ... What I want to do is be able to share an SSL certificate ... Now when the website was ... (secure.xyz.com and virtual directory ~mysubdomain) ... (microsoft.public.inetserver.iis.security)