Firefox v 3.6.12 allows an attack from a malicious website

RESOLVED INVALID

Status

()

--
critical
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: lombaeb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729; .NET4.0C)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729; .NET4.0C)

When visiting the site http://dobstats.info/tre/lena.html, Norton Internet Security reported that an intrusion attempt by my pc was stopped. The actor attempting to intrude is listed as Firefox on my pc.

Details provided by Norton Internet Security after visiting http://dobstats.info/tre/lena.html:

An intrusion attempt by pc-2433239 {my pc} was blocked.
Attacker url: dobstats.info/tre/lena.html
Destination address: 163.200.219.100, 3128 {this is our proxy server}
Source address: 163.200.224.141 {this is my pc}
An intrusion attempt by PC-2433239 {my pc} matches the signature of a known attack. The attack resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE.
Network traffic from dobstats.info/tre/lena.html matches the signature of a known attack. The attack resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE


Reproducible: Always

Steps to Reproduce:
1. Visit site (WARNING: ATTACK)  http://dobstats.info/tre/lena.html
2. After allowing the exploit to pass, Firefox reports 'The connection was reset'.

Actual Results:  
Norton internet security 2010 reports the attack as described above.

Expected Results:  
Firefox should not allow the attack to pass.

Win 7 x64 Enterprise edition, with all updates (2010-11-30)
Norton Internet Security 2010, with all updates (2010-11-30)
Firefox 3.6.12
(Reporter)

Comment 1

8 years ago
The original site I wished to visit was 

http://pouzilhac10.vigneshonlione.info/sisa-pityana.html

Once visiting this site, it is auto-redirected to the malicious site  http://dobstats.info/tre/lena.html
The attack site you linked to is now giving a 404, so there's not much we can do with this report.  Normally I would report it as an attack site to the Safebrowsing service which you can also do by visiting this page:
http://www.google.com/safebrowsing/report_badware/
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
(Reporter)

Comment 3

8 years ago
Created attachment 494135 [details]
Screenshots of Firefox and Norton Internet Secuirty after visiting the attack site
(Reporter)

Comment 4

8 years ago
I would like to re-open this bug, since I have again tried visiting the attack site, and still obtain the same behavior:

http://dobstats.info/tre/lena.html

The behavior is still the same as described in the original posting:
Firefox reports an error loading the page "Connection reset" (looks like error 404), while Norton Internet Security reports that it has blocked an attack from Firefox.

So although it *looks* as if Firefox is unable to load the page, in truth, an attack is launched through Firefox.

I have attached screen-shots from Firefox and Norton Internet Security.
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
Are your plugins up to date? Please visit https://www.mozilla.com/en-US/plugincheck/

Most attacks are through out-of-date plugins rather than firefox itself. It's also hard to tell from this report if Norton detected web code that attempts to do bad stuff (but would not succeed) or if it's detecting the result of a successful attack.

the page at dobstats.info is still giving a 404, maybe it's location aware and not serving malware to the US? I also tried going through http://pouzilhac10.vigneshonlione.info/sisa-pityana.html in case it's checking referers (we've seen that trick) but didn't get the redirect.

The forums at http://support.mozilla.com/ usually work better for investigating this kind of issue.
Group: core-security
(Reporter)

Comment 6

8 years ago
Thanks for the suggestions.

1. After updating all plugins, the issue still occurs.
2. Visiting the attack site http://dobstats.info/tre/lena.html directly reproduces the issue (i.e. it is not necessary to be redirected from the vigneshonlione.info site).  This attack site is still active as of 22 Dec 2010.
3. Norton Internet Security now provides additional information on this site and exploit:

http://safeweb.norton.com/report/show?url=dobstats.info
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23822
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1862

According to this information, it seems the attack is aimed at Adobe Acrobat/Reader/Flash.
http://pouzilhac10.vigneshonlione.info/sisa-pityana.html redirects to http://custom404error.com/?keywords=blood%20center and www.dobstats.info comes up as not found. Marking as INVALID as none of the sites exist at this time and because this isn't a bug. The connection reset message is because Norton blocked the page from loading and possible causing damage to your machine, not because Firefox allowed the "attack" to happen.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.