Closed
Bug 867928
Opened 12 years ago
Closed 3 years ago
clickjacking certificate install dialog can add untrusted root certificate.
Categories
(Core :: Security: PSM, defect, P5)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jordi.chancel, Unassigned)
References
()
Details
(Keywords: csectype-clickjacking, reporter-external, sec-low, Whiteboard: [psm-backlog])
Attachments
(4 files, 1 obsolete file)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Build ID: 20130409194949
Steps to reproduce:
with a double click , it's possible to instal a malicious secure certificate.
Actual results:
go to http://alternativ-testing.fr/Research/Mozilla/0daysslcertificateclickjacking57ef5758uybtuyb/Critical%20clickjacking%20install%20SSL%20certificate2.htm and doubleclick on the link . the secure certificate will be instaled automatically after the doubleclick.
Expected results:
the secure certificate will be instaled automatically after the doubleclick.
|
Reporter | |
Updated•12 years ago
|
|
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
video of the exploit : http://www.youtube.com/watch?v=nKj6Ct9Z8qQ&feature=youtu.be
|
|
Reporter | |
Updated•12 years ago
|
Attachment #744535 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 3•12 years ago
|
||
|
||
Updated•12 years ago
|
Flags: sec-bounty?
Hardware: x86_64 → x86
|
||
Comment 7•12 years ago
|
||
This is similar to the set of bugs that Jesse reported against the UI and double clicking. See bug 162020. I think this is a sec-moderate or sec-vector. The impact / damage increases once a user installs the certificate.
|
|
Reporter | |
Comment 8•12 years ago
|
||
it's not only moderate , instal a malicious certificate with a double click is high or critical but not moderate !
view this bug => https://bugzilla.mozilla.org/show_bug.cgi?id=825022
|
|
Reporter | |
Updated•12 years ago
|
Keywords: sec-moderate → sec-high
|
|
Reporter | |
Comment 9•12 years ago
|
||
I'm sure that this vulnerability is high at worst !
|
|
||
Updated•12 years ago
|
Keywords: sec-high → sec-moderate
|
|
||
Comment 10•12 years ago
|
||
Jordi:
We'll reevaluate the rating at the bug-bounty meeting this week. I don't believe this bug is at the same level as the TurkTrust issue. The TurkTrust issue resulted in all FireFox users with the TurkTrust cert being vulnerable to SSL interception.
Your attack has a much smaller affected userbase. The worst case scenario that I see is a rogue ISP injecting this code onto HTTP sites to MITM their users. This could be a sec-high.
|
||
Updated•12 years ago
|
Component: Untriaged → Security: UI
Product: Firefox → Core
|
|
Reporter | |
Comment 11•12 years ago
|
||
Yes David Chan , I'm sure that this vulnerability is HIGH.
| Comment hidden (duplicate) |
|
|
||
Comment 13•12 years ago
|
||
It's installed (potentially--your PoC is off for me but I assume that can be fixed) but it's not trusted for anything unless you also check one or more of the trust boxes. It could be confusing and scary for users to find a unknown root in their certificate database but it's not actually harmful. An attacker /might/ be able to convince someone to then go through the steps to trust the cert, but it seems just as likely that if you found a victim that trusting/gullible you could just get them to accept the cert without the clickjacking issue.
Keywords: sec-moderate → sec-low
|
|
||
Updated•12 years ago
|
Summary: Malicious Certificate instal ClickJacking with double click → clickjacking certificate install dialog can add untrusted root certificate.
|
|
||
Comment 14•12 years ago
|
||
This bug does not qualify for a bug bounty unless there's some additional trick to make this a trusted root.
Flags: sec-bounty? → sec-bounty-
Keywords: csec-spoof
|
||
Comment 15•12 years ago
|
||
We should investigate if this could be used for denial-of-service attack.
If an attacker installs a CA cert that uses the same subject name as one of the trusted roots, but contains a newer date, then NSS *might* prefer it when searching for certificates. I'm not sure, but I'm worried that NSS might select an invalid issuer cert with a newer date, even if the newer one isn't trusted.
|
|
||
Updated•11 years ago
|
Attachment #744588 -
Attachment mime type: application/octet-stream → application/java-archive
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
|
||
Comment 17•8 years ago
|
||
We could add a delay to the "OK" button or something (although see also bug 1024871).
Component: Security: UI → Security: PSM
Priority: -- → P5
Whiteboard: [psm-backlog]
|
|
||
Comment 18•7 years ago
|
||
making this bug visible to more developers (specifically the front-end security folks)
Group: dom-core-security → core-security-release
|
||
Comment 19•7 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #17)
> We could add a delay to the "OK" button or something
From the looks of this, on the assumption the dialog uses commonDialog.xul, this is just an extra arg away. Even if not using commonDialog.xul, it looks like the functionality was abstracted into a jsm that *should* be easily adaptable, see:
https://dxr.mozilla.org/mozilla-central/rev/45fde181a497a187d01d5412f5b72897c7520517/toolkit/components/prompts/src/CommonDialog.jsm#169-175
and resource://gre/modules/SharedPromptUtils.jsm .
|
|
||
Comment 20•3 years ago
|
||
This was fixed by removing the underlying feature in bug 1024871
Depends on: 1024871
|
|
||
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
|
|
||
Updated•3 years ago
|
Group: core-security-release
|
||
Updated•4 months ago
|
Keywords: reporter-external
|
|
||
Updated•4 months ago
|
Keywords: csectype-spoof → csectype-clickjacking
You need to log in
before you can comment on or make changes to this bug.
Description
•