Spoofing any IP address in the Browser Address Bar and link (hyperlink)

RESOLVED DUPLICATE of bug 1298584

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 1298584
a year ago
a year ago

People

(Reporter: Artur, Unassigned)

Tracking

50 Branch
All
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8816723 [details]
spoofing_link_poc.html

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161129173726

Steps to reproduce:

Step by step:
a) The attacker registers a domain with Arabic Letters (and Arabic Domain Extension ex. شبكة)
b) Next, attacker need to use "Punycode Converter" to convert domain name into "Punycode"
c) Next, attacker need to create link with this scheme:
<a href="http://xn--pgbr3deabc.xn--ngbc5azdabc/HERE_WE_NEED_TO_PUT_SPOOFED_IP/" target="_blank" rel="nofollow">IP Spoofing Link</a>
Example:
<a href="http://xn--pgbr3deabc.xn--ngbc5azdabc/127.0.0.1/" target="_blank" rel="nofollow">IP Spoofing Link</a>

Proof of Concept: Spoofing Link - Open in Browser - http://xn--pgbr3deabc.xn--ngbc5azdabc/127.0.0.1/ (this is not my domain, I only use it for example)

You can change domain "xn--pgbr3deabc.xn--ngbc5azdabc", to any domain with Arabic Letters and Arabic Domain Extension.

===========================

Firefox Version: 50.0.2
Operating System: Microsoft Windows XP SP3 and Microsoft Windows 7 SP1


Actual results:

Spoofing any IP address in the Browser Address Bar and link (hyperlink)
by using Arabic Letters in Domain Name and Extension

I found a vulnerability allowing to spoof any IP address in the Browser Address Bar and link (hyperlink). The attacker using this vulnerability can register a domain name, and create fake login panel for the router on this domain.


Expected results:

IDN domains should not use RTLO for /catalog_path/.
(Reporter)

Updated

a year ago
OS: Unspecified → Windows 7
Hardware: Unspecified → All

Comment 1

a year ago
99% sure this is a straight-up dupe of bug 1298584, which is public, so this can be opened up and duped.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1298584
(Reporter)

Comment 2

a year ago
Yes, you right :-)
Can I write and publish an article describing about this vulnerability with example PoC ?

Best Regards
You need to log in before you can comment on or make changes to this bug.