no__1__here
Premium
join:2003-10-13
Tomball, TX
2 edits | reply to BeesTea
Re: The state of homograph attacks
Found the same. Worked until browser restarted.
For you Proxomitron users out there, here's a quick hack:
Name = "IDN Removal"
Active = TRUE
Bounds = "$NEST(<a(rea|),<(/a(rea|)|br)>)"
Limit = 1025
Match = "*href=$AV(*\&#[0-9]+;*)*"
Replace = "Removed IDN exploitable URL"
Semi-tested. :) |
|
SUMware
Premium
join:2002-05-21
1 edit | This Proxo filter works for me with the posted exploit and Firefox 1.0. Thanks for posting it. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
1 edit | reply to BeesTea
The workaround for firefox seems to be an edit to your compreg.dat.
For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat
For UNIX
~/.mozilla/firefox/default.random/compreg.dat
Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.
Here's an example entry.
{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so
Cheers,
-BeesT
--
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlb xq |dc |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
1 edit |  It works. After making a backup of compreg.dat i placed
to remark out the line BeesTea  mentioned. Exploit fails
Cudni |
|
sybille
Not only "just visiting"
Premium
join:2004-04-06
France | reply to BeesTea
Confirmed on Linux, also. 
Thanks again, BeesTea . |
|
Jim Wright
join:2001-06-09
Carrollton, TX | reply to no__1__here
How exactly do I get this hack into proxo? I am using 4.5, but not adept at making these adjustments to the program. Thanks for any help.:D
JW |
|
SUMware
Premium
join:2002-05-21 | reply to BeesTea
On Win98 the file is located here:
C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\default.xtu\compreg.dat
And your fix works here, too! |
|
SUMware
Premium
join:2002-05-21
2 edits | reply to Jim Wright
Hi Jim. Make a backup copy of your default.cfg file (located in the Proxo folder) for safety. Then open the default.cfg file. Copy & paste the filter into the config within the [Patterns] section (a safe location would be where site-specific filters (ie. Yahoo, CNN, etc.) are located. Save the config, then exit/restart Proxo. |
|
Jim Wright
join:2001-06-09
Carrollton, TX | Hey SUM,
Thanks man. I really appreciate the assistance.
JW |
|
Drunkula
Premium
join:2000-06-12
Denton, TX
 ·Verizon FIOS
| reply to BeesTea
Anybody here know if the Proxomitron technique above will work with Privoxy? That rule is more-or-less gibberish to me and I wouldn't know how to translate it into Privoxy's config settings!
--
My idea of equal rights? Hey it's just as easy for a woman to put the toilet seat down as it is for a man to put the toilet seat up. |
|
SUMware
Premium
join:2002-05-21 | reply to Jim Wright
My pleasure. |
|
EGeezer
Freezin Season
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
1 edit | reply to BeesTea
Re: BeesTea's fix - worked!
It worked here too - BeesTea gets the medal! The applicable file and entry was found by searching for compreg.dat - found it in applications/data/Mozilla/firefox/profiles/... then searched for IDN and commented the line with "#".
Also found compreg.dat in [drive]/program Files/Mozilla Firefox/Components too, but commenting the line in that file didn't fix it.
(Using win98SE, current patches)
EG |
|
raydsltech
join:2004-07-04
Concord, NC | reply to BeesTea
Re: The state of homograph attacks
thanks BeesTea for the great fix to a serious problem. i updated all the users on my and kids workstation. thanks again for the post! |
|
CrookedSmile
join:2003-08-23
| reply to BeesTea
I get a blank screen that says "meeow" when I click either of those links in the demo page. I'm not ruling out the possibility of the ghost of a evil cat webmaster haunting my pc but it looks nothing like paypal. This problem must've been fixed in the 7.54u2 release of Opera for linux. |
|
Spy
Premium
join:2001-09-22
NE | reply to BeesTea
I get the meow also, I use firefox nightly's. Last one I've been using is about 2 days old. |
|
ClmsnTgrFan
Thrifty, Not Cheap
Premium
join:2001-06-02
Crestview, FL
clubs:
| reply to CrookedSmile
said by CrookedSmile :I get a blank screen that says "meeow" when I click either of those links in the demo page. I'm not ruling out the possibility of the ghost of a evil cat webmaster haunting my pc but it looks nothing like paypal. This problem must've been fixed in the 7.54u2 release of Opera for linux. That is the proof of concept page. Note that the URL bar shows "http://www.paypal.com" or "https://www.paypal.com". The Schmoo guys put "meeeow" on the page to show you that it is not paypal but instead the page they spoofed you to. Imagine if they copied PayPal's HTML and made the page look identical ... you would have no way of knowing you were not really at the PayPal site.
In other words, your Opera version is vulnerable. |
|
barky
Premium
join:2001-03-17
San Diego, CA | reply to BeesTea
I thought these "homographs" were called "entity references". What happened to the good 'ol "entity reference"? |
|
B
Premium,MVM
join:2000-10-28
|
"Homograph" refers to the fact that the regular word and the entity reference URL appear to have the same spelling.
It's not merely that the URL uses alternate character sets; it's that a spoof is possible based on the appearance.
-- B
--
In a realm outside causality and function |
|
no__1__here
Premium
join:2003-10-13
Tomball, TX
| reply to BeesTea
Sorry JW, missed your question. Thanks for answering SUMware.
BTW, the folks on the proxo list posted an alternate filter which will still allow you to follow the URL (instead of outright killing it like mine does), but with a warning.
Also, if you use Kye-U's filter set he has updated it as well to include this type of spoof.
For reference, you can open the .cfg file as SUMware stated, or you can create a new text file and past the new filter into it. Then in proxo do a File->Merge and point it to the file you just created. One thing to watch out for is line wraps.
BeesTea Thanks for the compreg fix .
Drunkula I'm not familiar with Privoxy's rule sytanx so I can't comment on that part. Sorry. |
|
Jim Wright
join:2001-06-09
Carrollton, TX
| No_1_Here,
No problem and thanks for the hack. When applied following Sum's instructions it worked like a charm. Of course I never open any browser without Proxo and haven't for years.
I was also highly impressed that the very day (I believe) that this vulnerability was reported that two effective remedies were forthcoming in this thread alone. Damned impressive response to a irritating nasty in my opinion.
This is why BBR Security Forum is always my first stop of the day and the last one at night.
My hat off to everyone. Great job on nailing this. |
|
