Closed Bug 479652 Opened 11 years ago Closed 10 years ago

pkcs11.addmodule can be spoofed to trick user into installing a module

Categories

(Core :: Security: PSM, defect, major)

defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: sephr, Assigned: KaiE)

References

Details

Attachments

(2 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6
Build Identifier: 

pkcs11.addmodule uses a confirm prompt and doesn't escape any characters such as the 'RIGHT-TO-LEFT OVERRIDE' (U+202E), and linebreaks, ect. which can be used to trick the user into installing a security module.
Putting U+202E at the end module name argument makes the Path: part become backwards, changing something like "Path: http://code.eligrey.com/?virus/gro.allizom.eruces//:sptth :ta detacol si etadpu ehT" into "The update is located at: https://secure.mozilla.org/suriv?/moc.yergile.edoc//:ptth :htaP"
You can use a linebreak (or just start a new sentance) to lie to the user and explain to them that the ptth and htaP are just security modules being updated in a new line.

I have no idea if you can make a virus out of a security module, so I'm marking this as major just in case.

Reproducible: Always

Steps to Reproduce:
1. Use pkcs11.addmodule()
Actual Results:  
A confirm prompt that doesn't say where it originated from and can be spoofed pops up.

Expected Results:  
A custom modal dialog window that escapes any dangerous characters and is labeled with what website it originated from pops up

When this gets patched, the custom modal dialog window should also be used for pkcs11.deletemodule as it is also spoofable in a way though you wouldn't be able to exploit the spoof as the only way for it to work is to only put in the exact module name.
Attached file An example of the exploit (obsolete) —
Attached file fixed testcase
Last example had too long of a URI and the "The" wrapped down a line, making it look fake
Attachment #363530 - Attachment is obsolete: true
Since NSS does no UI, this is not an NSS bug.
Assignee: nobody → kaie
Component: Libraries → Security: UI
Product: NSS → Core
QA Contact: libraries → ui
Attached image screenshot
We're already considering removing this dialog; see bug 326628.
Status: UNCONFIRMED → NEW
Component: Security: UI → Security: PSM
Ever confirmed: true
QA Contact: ui → psm
No longer depends on: 326628
Depends on: 326628
Fixed by bug 326628
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.