2nd vulnerability in Firefox 3.0.10: KEYGEN tag

Author	All Replies
matunga join:2003-07-26 1 edit	2nd vulnerability in Firefox 3.0.10: KEYGEN tag Affected products : - Firefox 3.0.10 (Windows) - Likely : All Firefox versions supporting the KEYGEN tag Status : No patch II. Description ~~~~~~~~~~~~~~~ This bug is a simple design bug that results in an endless loop (and interesting memory leaks). Once upon a time Netscape thought it would be a great idea to add the keygen tag () as a feature to their Browser. The keygen tag offers a simple way of automatically generating key material using various algorithms. For instance it is possible to generate RSA, DSA and EC key material. "The public key and challenge string are DER encoded as PublicKeyAndChallenge and then digitally signed with the private key to produce a SignedPublicKeyAndChallenge. The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally submitted to the server as the value of a name-value pair, where the name is specified by the NAME attribute of the KEYGEN tag." More information: »https://developer.mozilla.org/En/HTML/HT···YGEN_Tag This feature includes the automatic submission of the public part to a script, the crux. The Keygen tag reloads the document by submitting the public key as an argument to the current URI. Combining this with a javascript body onload() call (or meta refresh) results in an neat endless loop blocking access to the UI. Furthermore memory is leaked during the process. III. Impact ~~~~~~~~~~~ The browser doesn't respond any longer to any user input, tabs are no longer accessible, your work if any might be lost. Restarting the Firefox process and restoring the previous Firefox session will re-spawn the tab and start the loop again. According to a Bugzilla entry memory is also leaked during the process. So let's recap, we have a function that generates key material and looping causes memory to leak. One might think this should be important enough to investigate, especially if you know that for DSA for instance, only a few bits of k can reveal an entire private key. [3] IV. Proof of concept (hold your breath) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <html> <body onLoad="document.forms[0].submit()"> <FORM> <KEYGEN NAME="somekey" CHALLENGE="1125983021"> <INPUT TYPE="submit" NAME="SubmitButton" VALUE="Done"> </FORM> </html> Live : http://secdev.zoller.lu/ff_dos_keygen.html »blog.zoller.lu/2009/04/advisory-···ice.html
	to forum · permalink · · 2009-05-28 02:28:43 ·
EdG @eastlink.ca thumbs down from: hroo772	said by matunga : Affected products : - Firefox 3.0.10 (Windows) - Likely : All Firefox versions supporting the KEYGEN tag Status : No patch II. Description ~~~~~~~~~~~~~~~ This bug is a simple design bug that results in an endless loop (and interesting memory leaks). Once upon a time Netscape thought it would be a great idea to add the keygen tag () as a feature to their Browser. The keygen tag offers a simple way of automatically generating key material using various algorithms. For instance it is possible to generate RSA, DSA and EC key material. "The public key and challenge string are DER encoded as PublicKeyAndChallenge and then digitally signed with the private key to produce a SignedPublicKeyAndChallenge. The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally submitted to the server as the value of a name-value pair, where the name is specified by the NAME attribute of the KEYGEN tag." More information: »https://developer.mozilla.org/En/HTML/HT···YGEN_Tag This feature includes the automatic submission of the public part to a script, the crux. The Keygen tag reloads the document by submitting the public key as an argument to the current URI. Combining this with a javascript body onload() call (or meta refresh) results in an neat endless loop blocking access to the UI. Furthermore memory is leaked during the process. III. Impact ~~~~~~~~~~~ The browser doesn't respond any longer to any user input, tabs are no longer accessible, your work if any might be lost. Restarting the Firefox process and restoring the previous Firefox session will re-spawn the tab and start the loop again. According to a Bugzilla entry memory is also leaked during the process. So let's recap, we have a function that generates key material and looping causes memory to leak. One might think this should be important enough to investigate, especially if you know that for DSA for instance, only a few bits of k can reveal an entire private key. [3] IV. Proof of concept (hold your breath) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <html> <body onLoad="document.forms[0].submit()"> <FORM> <KEYGEN NAME="somekey" CHALLENGE="1125983021"> <INPUT TYPE="submit" NAME="SubmitButton" VALUE="Done"> </FORM> </html> Live : http://secdev.zoller.lu/ff_dos_keygen.html »blog.zoller.lu/2009/04/advisory-···ice.html No effect here. There's a shocker....
	to forum · permalink · 2009-05-28 13:02:21 ·
EGeezer Go Bobcats Premium join:2002-08-04 Country! ·Callcentric ·RoadRunner Cable ·AT&T CallVantage 2 edits	reply to matunga Just tried it by opening another tab - it did indeed hang with the "generating key..." box after I specifcally clicked the radio button, but I was able to close the box and tab after a few seconds without data loss or abnormal termination of the browser. Looks like an irritation and performance bug, but not a security issue. -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
	to forum · permalink · · 2009-05-28 13:28:43 ·
TZO @t-dialin.net	POC relies on javascript.. see the document.form there ? So disable noscript and it works. FYI, no script is really no help as you can simply use a meta refresh to achieve the same.
	to forum · permalink · 2009-05-28 13:55:13 ·
anon123213 @t-dialin.net	reply to EGeezer Mozilla confirmed the bug, can't you guys read? Your wasting your time replicating.
	to forum · permalink · 2009-05-28 13:58:30 ·
EGeezer Go Bobcats Premium join:2002-08-04 Country! ·Callcentric ·RoadRunner Cable ·AT&T CallVantage	said by anon123213 : Mozilla confirmed the bug, can't you guys read? Your wasting your time replicating. But it was such fun to attempt to replicate and then post my results! -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
	to forum · permalink · · 2009-05-28 14:06:02 ·
Unknown_Poster @verizon.net	reply to anon123213 said by anon123213 : Mozilla confirmed the bug Okay. Though not exactly a 'zero day' exploit, is it? More like a 'day 43,892' bug. Your wasting your time replicating. Time spent in gaining knowledge is never time wasted.
	to forum · permalink · 2009-05-28 14:08:14 ·
TZO @t-dialin.net	Re: 2nd vulnerability in Firefox 3.0.10: KEYGEN tag Of course its more important then a DoS. The point is the FF is still a vulnerability, just not that important. Read: less risk, less impact
	to forum · permalink · 2009-05-28 14:28:01 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	reply to matunga Nothing much happened with noscript blocking javascript. With noscript disabled, the browser looped for a while taking processor to 100% usage. But then there was a security popup about sending data unencrypted to the site (yes, I have that warning message enabled). That stopped the loop. If I clicked "continue" then the loop resumed until another warning popup showed. If I clicked "cancel" I was out of the loop. So, okay, javascript loops are possible. Yawn! -- AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10
	to forum · permalink · · 2009-05-28 14:44:17 ·
chachazz Premium join:2003-12-14	reply to matunga Mozilla is fast to react (unlike others, at times) to reported problems and that's what counts; Firefox 3.0.11 candidate build available for testing "We now have a build available for the upcoming Firefox 3.0.11 security and stability release." v3.0.11 Beta (Build 1), released May 27, 2009 Firefox 3.0.11 Beta - Release notes: »en-us.www.mozilla.com/en-US/fire···senotes/ Get it here: »ftp://ftp.mozilla.org/pub/firefox/nigh···/build1/ -- Gladiator Security Forum: www.gladiator-antivirus.com/
	to forum · permalink · · 2009-05-28 14:47:45 ·
Doctor Four My other vehicle is a TARDIS Premium join:2000-09-05 Dallas, TX ·AT&T U-Verse 3 edits	reply to TZO said by TZO : POC relies on javascript.. see the document.form there ? So disable noscript and it works. FYI, no script is really no help as you can simply use a meta refresh to achieve the same. No security savvy Firefox user is going to globally allow scripts on every site. Incidentally, this is marked as "dangerous" in the NoScript menu that pops up when clicking on the icon at the bottom right of FF. Edit: and what with worms like Gumblar (aka JSRedir-R) on the loose and vulnerabilities in Adobe Flash and Reader, you would have to be an idiot to allow scripts to run on every site. -- "The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
	to forum · permalink · · 2009-05-28 15:57:38 ·
anon4324 @t-dialin.net	Risk is not measured by a small group of individuals. Product per default is vulnerable.
	to forum · permalink · 2009-05-28 16:05:34 ·
MorgenFreimann @t-dialin.net	reply to matunga You missed the most interesting part : ----- Firefox is a popular internet browser from the Mozilla Corporation. In 2007 the Mozilla Corporation had a revenue of over 75 million dollars [1], out of which 68 million where made with a search advertising deal, in other words with the search box in Firefox that defaults to Google. I envy the spirit of everyone that works on Firefox code in their spare time,for free. »www.mozilla.org/foundation/docum···ment.pdf »www.guidestar.org/FinDocuments//···a9-9.pdf ----
	to forum · permalink · 2009-05-28 16:17:05 ·
Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire	said by MorgenFreimann : ----- I envy the spirit of everyone that works on Firefox code in their spare time,for free. ---- that is a lot of people to envy. Amazing that he has time for other things (however minor) Cudni -- "what we know we know the same, what we don't know, we don't know it differently." Help yourself so God can help you. Microsoft MVP, 2006 - 2009
	to forum · permalink · · 2009-05-28 16:32:07 ·
anon4324 @t-dialin.net	Re: 2nd vulnerability in Firefox 3.0.10: KEYGEN tag Welcome to the world of risk management.
	to forum · permalink · 2009-05-28 17:37:35 ·


Thursday, 10-Dec 22:37:31	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF