Open
Bug 1390902
Opened 7 years ago
Updated 1 year ago
SOCKS 4/4A HTML injection in malformed socks server ACK response
Categories
(Core :: Networking: Proxy, defect, P3)
Tracking
()
UNCONFIRMED
People
(Reporter: n.avanzi, Unassigned)
Details
(Whiteboard: [necko-backlog])
Attachments
(1 file)
3.55 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Steps to reproduce:
in attachment a simple socks 4/4a proxy written in python for linux, You must configure Firefox to use socks server on port 1080, So try visiting a website like http://www.ansa.it (not work with https site)
Actual results:
With Firefox configured to use SOCKS server, if evil socks server send a malformed ACK like this:
+----+----+----+----+----+----+----+----+-----------------------
| VN | CD | DSTPORT | DSTIP |<head><title>hacked...
+----+----+----+----+----+----+----+----+-----------------------
bytes: 1 1 2 4 n byte of code to inject
Firefox Insert the injected code at the beginning of all the pages you visit.
You can then change the content of the pages you visit with malicious code
Updated•7 years ago
|
Group: firefox-core-security → network-core-security
Component: Untriaged → Networking
Product: Firefox → Core
Comment 1•7 years ago
|
||
Proxies can explicitly modify unencrypted traffic so this isn't a new capability beyond stuff that's fairly intentional (however unwanted it may be). I'll defer to the Network folk about whether injecting content through an ACK is legit or not.
Group: network-core-security
Flags: needinfo?(mcmanus)
Comment 2•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Comment 3•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Updated•2 years ago
|
Severity: normal → S3
Comment 4•1 years ago
|
||
Clear a needinfo that is pending on an inactive user.
Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE
.
For more information, please visit BugBot documentation.
Flags: needinfo?(mcmanus)
Updated•1 year ago
|
Component: Networking → Networking: Proxy
You need to log in
before you can comment on or make changes to this bug.
Description
•