Closed Bug 479652 Opened 15 years ago Closed 15 years ago

pkcs11.addmodule can be spoofed to trick user into installing a module

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sephr, Assigned: KaiE)

References

Details

Attachments

(2 files, 1 obsolete file)

fixed testcase
3.10 KB, text/html
Details
screenshot
40.47 KB, image/png
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6
Build Identifier: 

pkcs11.addmodule uses a confirm prompt and doesn't escape any characters such as the 'RIGHT-TO-LEFT OVERRIDE' (U+202E), and linebreaks, ect. which can be used to trick the user into installing a security module.
Putting U+202E at the end module name argument makes the Path: part become backwards, changing something like "Path: http://code.eligrey.com/?virus/gro.allizom.eruces//:sptth :ta detacol si etadpu ehT" into "The update is located at: https://secure.mozilla.org/suriv?/moc.yergile.edoc//:ptth :htaP"
You can use a linebreak (or just start a new sentance) to lie to the user and explain to them that the ptth and htaP are just security modules being updated in a new line.

I have no idea if you can make a virus out of a security module, so I'm marking this as major just in case.

Reproducible: Always

Steps to Reproduce:
1. Use pkcs11.addmodule()
Actual Results:  
A confirm prompt that doesn't say where it originated from and can be spoofed pops up.

Expected Results:  
A custom modal dialog window that escapes any dangerous characters and is labeled with what website it originated from pops up

When this gets patched, the custom modal dialog window should also be used for pkcs11.deletemodule as it is also spoofable in a way though you wouldn't be able to exploit the spoof as the only way for it to work is to only put in the exact module name.
Attached file An example of the exploit (obsolete) — 

    
    

    
  

      
      
      
      

        Attached file
          
        fixed testcase
      

    


  
Last example had too long of a URI and the "The" wrapped down a line, making it look fake

        Attachment #363530 -
        Attachment is obsolete: true

    
    

    
  
Since NSS does no UI, this is not an NSS bug.
Assignee: nobody → kaie
Component: Libraries → Security: UI
Product: NSS → Core
QA Contact: libraries → ui

    
    

    
  

      
      
      
      

        Attached image
          
        screenshot
      

    


  

    
    

    
  
We're already considering removing this dialog; see bug 326628.
Status: UNCONFIRMED → NEW
Component: Security: UI → Security: PSM
Ever confirmed: true
QA Contact: ui → psm
No longer depends on: 326628
Depends on: 326628

    
    

    
  
Fixed by bug 326628
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: