browser taken over from malicious website

RESOLVED DUPLICATE of bug 636905

Status

()

Firefox
Untriaged
--
critical
RESOLVED DUPLICATE of bug 636905
3 years ago
3 years ago

People

(Reporter: William D Colburn, Unassigned)

Tracking

({csectype-dos, csectype-spoof, ux-control})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150826023504

Steps to reproduce:

I wanted to see if Darren Bousman had his DVD for sale, so I tried to go to his website via the address bar.  I entered the wrong website "devilscarnival.com".

Red Hat Enterprise Linux Workstation release 6.6 (Santiago)
Linux anotheruvula 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

firefox-40.0.3

I have my profile directory, saved, if you want it.  I'll need some guidance on what to prune before I send it (I don't want you logging into my gmail, etc).


Actual results:

Fake BSOD (Windows javascript extrortionware) messages appeared on my screen, then firefox crashed.  When I restarted firefox they came back, but it didn't crash.  I killed it though, because about a bazillion messages were popping up.  Then it wouldn't restart, then it finally did, but when it did my gmail kept reopening itself as various random spammy webpages.


Expected results:

I should have typed the right domain name and seen thedevilscarnival.com.

Comment 1

3 years ago
The first few times I tried to access this I got redirected to a fake BBC article that used onbeforeunload (but prompted me only once).

The second time I tried it went here: http://promotions.yourfirstmillion.biz/lp-millionaire-society/?coc=56&subc=wMUU28VANKIMC66NGCOEB740&paramf=0.01 , but that made no attempt to keep me there, either. Trying a few more times, I've seen various scammy websites but nothing that matched the degree of maliciousness you reported.

It seems like there's a set of pages (starting at devilscarnival.com) that redirects to any of a number of ads and so on. One of them (the one you hit) was more malicious than the other ones.

In order to figure out where you ended up, I guess it would be useful to look at the history in your profile. That's stored in places.sqlite, but together with your bookmarks etc. You can use sqlite manager, a Firefox add-on, to remove additional data (best do it from a second copy so that if you remove too much, you still have the original backup), or you can use any of a number of other sqlite tools to do the same. You may also want to remove unrelated history/places from that db for privacy reasons. Without cookies or such, we wouldn't be able to log in, but the db will contain page titles (which in turn could be e.g. email subjects from your gmail).


If you could attach the scrubbed database on the bug that would help us look at this further (though if we're unlucky, the problematic page will have vanished by the time we get to it... they have a tendency of doing that).
Flags: needinfo?(wcolburn+firefox)
(Reporter)

Comment 2

3 years ago
Created attachment 8662399 [details]
A URL to my places.sqlite from the damaged profile

I have to go to an all-hands meeting now, so I'm AFK for about an hour.
Flags: needinfo?(wcolburn+firefox)

Comment 3

3 years ago
(In reply to William D Colburn from comment #2)
> Created attachment 8662399 [details]
> A URL to my places.sqlite from the damaged profile
> 
> I have to go to an all-hands meeting now, so I'm AFK for about an hour.

OK. Thanks a lot. This seems to be the page you were talking about:

http://picfsff.dj-khaled-5435789tech-supportalert.com/U3M2Z5FMnXYILKP51lDoqq3MAyWzVEUd/tipshesaid.php?cid=5-wRMTEMN7LS25NM5N0THP6D2G

It shows a BSOD-like message, and has an alert, and uses onbeforeunload and reloads to try to keep everything going.

However, once an alert is up, I can close the tab, which throws an onbeforeunload alert, where if I click "leave page" (or click the close tab icon again, or hit ctrl-w again) the tab closes.

If you stay on the page a bit longer and click through the alerts/confirms, I don't see it doing much else.

I'm not really sure what we can do about this from the Firefox side, besides fixing bug 1003967 and similar. Did you have something specific in mind? (Obviously we shouldn't crash, but I couldn't reproduce a crash myself; if you have a crashreport ID from about:crashes for that crash that would help look at that, which is likely a separate issue.)

I would unhide this bug (because I don't think there's anything in here that needs to be security-sensitive), but I think it's a good idea for you to remove the places.sqlite file from the public web first. Even just looking at it for this bug I saw a thing or two I wouldn't share publicly.

Comment 4

3 years ago
(In reply to :Gijs Kruitbosch from comment #3)
> (In reply to William D Colburn from comment #2)
> > Created attachment 8662399 [details]
> > A URL to my places.sqlite from the damaged profile
> > 
> > I have to go to an all-hands meeting now, so I'm AFK for about an hour.
> 
> OK. Thanks a lot. This seems to be the page you were talking about:
> 
> http://picfsff.dj-khaled-5435789tech-supportalert.com/
> U3M2Z5FMnXYILKP51lDoqq3MAyWzVEUd/tipshesaid.php?cid=5-
> wRMTEMN7LS25NM5N0THP6D2G
> 
> It shows a BSOD-like message, and has an alert, and uses onbeforeunload and
> reloads to try to keep everything going.
> 
> However, once an alert is up, I can close the tab, which throws an
> onbeforeunload alert, where if I click "leave page" (or click the close tab
> icon again, or hit ctrl-w again) the tab closes.
> 
> If you stay on the page a bit longer and click through the alerts/confirms,
> I don't see it doing much else.
> 
> I'm not really sure what we can do about this from the Firefox side, besides
> fixing bug 1003967 and similar. Did you have something specific in mind?
> (Obviously we shouldn't crash, but I couldn't reproduce a crash myself; if
> you have a crashreport ID from about:crashes for that crash that would help
> look at that, which is likely a separate issue.)
> 
> I would unhide this bug (because I don't think there's anything in here that
> needs to be security-sensitive), but I think it's a good idea for you to
> remove the places.sqlite file from the public web first. Even just looking
> at it for this bug I saw a thing or two I wouldn't share publicly.

Whoops, +needinfo
Flags: needinfo?(wcolburn+firefox)
(Reporter)

Comment 5

3 years ago
Ok, I nuked the places.  There shouldn't be anything bad in there, I'm pretty reserved with what I do at work on my work computer.

I've encountered sites that snuck a popup in, but I've never seen firefox crash from visiting a website, nor have I seen problems continue after I restarted firefox, and I still harbor the deep seated conviction that no one cares enough about linux to make real exploits for it so it is still the safe way to browse.

I'm a bit leery of opening that profile again to get to about:crashes, but I do have a 66byte store.json.mozlz4 in the crashes directory.  Does that help?  I put it at http://www.aoc.nrao.edu/~wcolburn/firefox-1205678/crashes/store.json.mozlz4 for you.  The events directory was empty. and I had corefiles turned off when it happened.

I don't have permission to uncheck secure/sensitive on this bug.
Flags: needinfo?(wcolburn+firefox)

Comment 6

3 years ago
(In reply to William D Colburn from comment #5)
> I'm a bit leery of opening that profile again to get to about:crashes, but I
> do have a 66byte store.json.mozlz4 in the crashes directory.  Does that
> help?  I put it at
> http://www.aoc.nrao.edu/~wcolburn/firefox-1205678/crashes/store.json.mozlz4
> for you.  The events directory was empty. and I had corefiles turned off
> when it happened.

Sadly, there is no crash info in here.
Group: firefox-core-security

Updated

3 years ago
Blocks: 432687
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-dos, csectype-spoof, ux-control
Version: 40 Branch → unspecified
Component: Untriaged → Document Navigation
Product: Firefox → Core
What is the docnav issue here, precisely?
Flags: needinfo?(bernesb)

Comment 10

3 years ago
(In reply to Virtual_ManPL [:Virtual] from comment #9)
> I was simply basing on similar Bug 1116977 Comment 16

That was because the problem was about using onbeforeunload and link clicks, both relating to docnav.

It's not clear what's really happening here apart from the fact that the page throws an alert() dialog - I can close the tab, which shows a single "do you really want to leave the page" dialog, and clicking leave page there leaves the page. I also get a popup warning, but that doesn't actually end up doing anything.

Virtual_ManPL, can you describe in more detail if there is anything we actually need to do here, apart from fixing bug 1003967 and/or bug 1123986 ?
Flags: needinfo?(bernesb)

Updated

3 years ago
Component: Document Navigation → Untriaged
Product: Core → Firefox
I'm not specialist here, so we can close this as fix bug 1003967 and/or bug 1123986 like you said.
For me it worked when I fast close tab, but not for normal close, like I said in Bug #1206411 Comment #6

>If I was closing slow this page I can't do it, as it creates infinite loop.
>But fast clicking close with "double click" additional mouse button do the job,
>but it's not the perfect idea and can be undiscovered by user.
Flags: needinfo?(bernesb)

Comment 12

3 years ago
I've put up a patch for bug 636905. This isn't an exact dupe, but that bug will fix the primary concern here as regards closing popup tabs/windows more quickly, so I'm going to dupe it there. If/when that patch lands, for the page reported here, just clicking to close the tab/window will be enough to close it, and the beforeunload dialog will not show.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 636905
You need to log in before you can comment on or make changes to this bug.