Firefox vulnerability keygen tag VS NoScript

Ask for help about NoScript, no registration needed to post
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Firefox vulnerability keygen tag VS NoScript

Post by mik33mik »

http://blog.zoller.lu/2009/04/advisory- ... rvice.html

When I click the done button in the poc page, the attack is successful, even if noscript blocks all the script in that page.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Firefox vulnerability keygen tag VS NoScript

Post by Giorgio Maone »

Not exactly.
Half of the "PoC" (key generation) works, because the keygen element is designed to work without scripts.
However the part where he forces the form to be submitted in the onload event, causing an endless loop (the form gets submitted and the keygen process restarts) fails, because scripts are forbidden.
I could easily close the offending tab by positioning the keygen dialog over the tab close widget and quickly clicking both in sequence.
It's far from a serious issue, however I could add a check for multiple keygen elements on document load and remove the redundant ones.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Firefox vulnerability keygen tag VS NoScript

Post by therube »

Quick fingers you've got there ;-).
Took me a number of times to them both closed. (Sometimes the dialog would move & stay, other times it would recenter itself.)

Though nevertheless & oddly it seemed to "timeout" on its own, so even when I didn't get them closed, I still regained functionality. (SeaMonkey 2 & FF3)
fails, because scripts are forbidden
Where are the scripts, I don't see any? (At least not at http://secdev.zoller.lu/ff_dos_keygen.html)

If NoScript is installed, the POC does not start until you click the Done button.
If NoScript is not installed, the POC starts as soon as you click the link.

If NoScript is not installed & you do not attempt to close the dialog box, it simply runs continuously.

Further if NoScript is not installed, I do not get the "timeout", though if you have attempted to close the dialog, I do eventually get an Unresponsive script warning. (The "location" of the warning may vary.)

Code: Select all

Script: file:///T:/FIREFOX/SEA20/components/nsSessionStore.js:363
Script: file:///T:/FIREFOX/SEA20/modules/XPCOMUtils.jsm:260
Even though you reply to not continue the Unresponsive script warning, it does continue. But at that point, some time later with a bit of clicking here & there (Ctrl+W <close Tab> may help too), you are able to break out.

(When the "timeout" occurs) the URL ends up being huge:

Code: Select all

http://secdev.zoller.lu/ff_dos_keygen.html?somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZPz%2Ft2LH8%0D%0AMTN89CVe8RfjjVhkm%2Fx2bmdEJmWrEnJw4Wxl4rGAMmT7C92pGCKydxP%2FCEsDnQvY%0D%0AdbMEL7MtZjpiFtJVUaEoAGgw54SWzKNOWTpYKzGW9tQOchRHPFM80zZAnME%2FOO1j%0D%0AEDFfKAWyysOpk15YOcG8QSwthHqTVsD27tdKRWq27Aczg6VpAa%2FqlUCi3awu8dzH%0D%0AwLvld11JxRuoK5d0uZiHaAuDw8hKWr9Mns6CdfzxNq0e4YTiHqJjekwramr3l%2Fnf%0D%0A5dKGUontgSpgrs1FR%2Fars6TtndWew9WwB8%2Bk%2BHWXT%2FpBnKU2ADBe%2F8rAI3nRkDc1%0D%0Ag0C1ksK1YkclAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBALGl%0D%0AiuAdsddxMBLM00TpcGFZIx5qIHqjSOQ5Az9qeEw33kqTrnUO0cNd8zFHAD4Daosm%0D%0AYFn%2BnL%2Fj5gto9LXjdcPtJVigpCV%2BaGXthjXYtijq0ttWvzGBfWoDGRuGYkk9PlZK%0D%0ASiODDlnkbnyOrFnpDQH3ViVusqqzR6Cv7ztG8gYTgMk%2BQoPcIlhdNlF9x2TOsG2g%0D%0A51IChqFf5r0gZ%2BnDRH4acacu1MlpwQJvRxsh81bGvwh7n2Zk5jEWp%2B186kTPCzrt%0D%0AUAKdFXj5%2FpqHuJRF7EIR%2BdnnDuW1p4gafFkxIqMNX8Vg496oAVitIhCYYrYf7tRd%0D%0AWhmvBA7EASXdEttuUXE%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7pa9eVzwo%0D%0A6%2BtdncaV%2BjEzjR8aCbPM9tvQJCydifQpCAPcxanE7M7RNnKu4X0O09qiPnc9gz3G%0D%0AtbCodOrXaTbX24DXswDk1Tm0Ag9JYQLb7k%2FVk1asPKm1OgvCC5FZ60wkpLYZSt%2Fh%0D%0A59YCAeQQS3Z638r2dsCBUSZ0v8klZfTW2ujdn5M2JE0INJvK%2FYMEDHt4H19mMBFr%0D%0AKoulcUr3B%2F5VTMX7zhYP10kSGNK34rxcn6F9ToREI67qTgOUUZYWzmHy8jnXeRS3%0D%0Afom%2F9NEu7%2FjYZeO88mKx7Vt9xa1NM1UIY7zjyoCsOXzsChsVlqEnYFVqRqIe8V02%0D%0AUfQt2yW3wxGZAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAA66%0D%0Av586hhGTQzORUgoNvXO8wyY6ccKzTx4f0U4rInlnn%2BtsZlHNYMBbLY%2BppWEGwyqX%0D%0A5PkNAXutJu9tdc1VxTzpZy6dLUnenacjfPTJDGckCOoYas%2BoD1x3V8iNzfEKGb%2Bv%0D%0AnBhy4g3Y2lnsvcjAIFiUzKaFIUuPnc4L%2FD87dTTJ%2Fjd5z9mecNV7Utd4Sg60qvFC%0D%0ASDEPPZIFi1%2FwJjmZlIk6uLz5ws0RNzewKIVSKMQCIy9CFMIoUJIRxv6jIUcj1guJ%0D%0AvLApcpJLvFf2GGGhkeeRFdG6VMsubugfiDuH3nuBFAhczQiQcsG9Hj8z7a4oZjBW%0D%0Ac%2FrFrgzQzcHRMQwkAMg%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDptXa2OXOD%0D%0ApXEHI5hIxjfN9t4ZvZ120bkhL5EL3fsD%2Fnd8gB2rrMwCa2MW70QS0dVPNsXohiFQ%0D%0AQwC7RwCiUB2bVSSAcHFowfLRakIBF0loHEq9MExdyXFUqP5EiWeLERjvl0jxFWKd%0D%0ARus7OgbBtcP638fBKLLZaQGqeGGI7HcxQPyUWqsOCsb4ljHsO8Z9s1i%2FxYQMpuut%0D%0Aa9wBu%2BK1mQC9kGr1yMwZjtSqMX8BpY9ZJ98kfdQX5pxfcoaJ2VezplKlsOC3FRCD%0D%0ALiQJZ%2FK3Ac0DGnaG4rLJzA0R2o96IoU6KKJgEo8fPOsclJRaYsPqk8zDE3Uvyos7%0D%0A90KatxKkq2jnAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAHWO%0D%0AQE4zp6Y%2BNv6zS7y3CKy9ZkTJTwTR4aLbTM0llvP65lN1KJjnzath2Ly1SXMLzoCO%0D%0AMTXwoop%2FNKNrdDDYoA5Gy27PA%2BRv6XNmTSh%2FoHmIloYiTCbviyUjokKRKBZiPkXM%0D%0AIpHdSGWYV1ogzCq2RuINfszPci%2FA7EcLN68IZhrM1%2BmyALj04GfQnNk8eD34yRsN%0D%0AGbYngZME6M8Laa4M20m9WRF3CBqNGubU71i%2B7dPJdsw9CQKGCVZQ43Ezkm%2BvT4Pd%0D%0AD63%2Fa1IQ83l6w%2FgjquhIbPbf7d6o2ayfgnawwXuR452McERgkRdezVFwuy2yDztu%0D%0A5xXgpKQIpFh9XJrU%2FnE%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkulqPRW5Z%0D%0A69WliVJCKDfViKEMHaWN3zE46SFMXM6cx%2Fd6pXVQu1NLzCFGIMVMQQWalCvYRlTg%0D%0ACcSnzuUytAPwrAbpW%2FWHnaH5OiPH4oPNDAfJQherQC0qaB4BzvXrTUenmD996HMG%0D%0AO2%2B%2BjOs5tQjLEjhBbotcyGo9O%2Fye6N5Du8jq6RFDmRjhvzYL6pI5WiguGlVGsZ%2Ba%0D%0ASHZEI4ovwWaiOYMrP3uVu4fhFOU16PIlVgneFijIz7Xs%2BPUM5dnz2AyXwxL8Cyft%0D%0Aeke3ePGrbdtbyjOE5NAYJwkoqKojUs5dfe7bPPabwfsiMju%2BwUxo6XvqTcY2xKwh%0D%0Aiah8oZYwkTnZAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAGIX%0D%0AkPVIG%2BnHGc%2Frm9d0xg%2FsudNOnQ0DKNTvci6xubK0Ln%2BveSS0yPrl1pBjcQ%2BvmBoi%0D%0A%2B4yQKuYjVEZx3G4dWbonvSuRqWBHsjc9v791dSmJoHJM2JQqqh9Yk4CexVlxBHCZ%0D%0AObzLYElFPDN3hAuD9dHqlzGBf2puQnZ5De1slivHRphF1lYPAsz06bOmcH3sriGJ%0D%0AGc9F5R%2FxLBTE6DPx6Q0fDhWniynpmm4dm1VMNKxgP0X8%2FZgeDWA8UOwmj4mhtjyX%0D%0AOn6EL%2FOIfWEpTlVQ4AGMH9lcwy8kFyTBEiUbatUVKYwnryNHzejsUYXeRsXzwXG2%0D%0AV2rsT2MiMLTGfuqo%2F9M%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6IvWIXR6W%0D%0AJnyRV%2BT4oaxTlpwy5d1z4%2BwXg81qutun%2BhUxy3ipOFjBfaWqz4dwT%2BFrqduy%2ButR%0D%0Ayrq6yFOaQC8pRDzFWs3m%2FjzdEdGdbLRSKfUMZVdQtLHze2PlBmClDvflFqQm1r5D%0D%0AKwTkTblJG%2BnuTa9XfVxRybEUCGnrv3YywyL39NUiBjhJXQHITl6%2B%2Fr6qcurYp49s%0D%0ArDW17QCrWqiMY2JYk6Q6qYO7tJWmVyaTT3V7McLXu9f7RVMfmEGNcsAOxzOXmfVS%0D%0A1uHUh3FB28GWGEkgOlIL83wPIuvBOfm%2FY1b64d%2BIqfk9LnQqLWzUqoTson5n3Pa%2B%0D%0A%2BBB7dFgjQ8urAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBALIi%0D%0AQJqvg2WNctd35xnE5z9zURUgeo%2BX%2BtwVc7PNt9LViZ%2BrYXgqMru8Iz%2BEY62hbkYd%0D%0AJk0qukDs0c3bAU7d8BSMxZhqTxA%2BboAL7ZJNRWox%2Fspou9krIdNSRdvaWSSNrOal%0D%0AOF0CxrwZ4CpaKPeq2njGeydjWeublHfzd9Om7XVtsEM6UPNeHA%2FTQReoVNnnlGUF%0D%0Ai6yaWqyQ5lh3r5sY8ms%2FZfw%2F9atBtRBqSqwcsuf1J0iNb7kVuMa%2FFyxHWGg09qK9%0D%0A3XIwPgVy6MXIOXfvy65i2G2biTNiOFcRBV7ZXPjEKTctyZiWj7EyndTfhPiKnmoa%0D%0AgQKAven8%2FaBeVfM6GEA%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrRvbBZtGW%0D%0An3T20UjqKjpQTyjNvFY%2FpRGNbqSvMXJhDW%2Bn2nc430%2B%2FWgcT%2BRbP6JSVM2dJRJ%2Fi%0D%0AJKm3l8IoPe2vsXES8VuHL5D5iVUjT4pc9ivDFLTjhwS4wQp7pnGFFzB3DeXadgsX%0D%0AwmanbyR117du1fGSv6JuI3adescGgCco6z0%2FOX5JwArkdPj0W3QCIPvc9RxlLzK9%0D%0ADskI7CF%2FuLvSS2oq4hNaQ%2BgmNAoWpfPWs%2F2%2FTCIXSG5YneeDcoSO8tI%2FGw39Ptns%0D%0Avyi9C70Xj0k6SbRwGb9mafRk452%2Fkr8Izvm%2FCNHecxdSdmm%2BoLB2GRrejokI0KOE%0D%0Ajd5N9kmtHQftAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAJ3o%0D%0A9r1lkFPSLLbirk%2Fkph5AK4g3kwnFOuHb2Ppqd12VdoolFbVK3b3EHjiEhGuwPYTl%0D%0AdWRgux8mj9Qvm3SOJQMNOqruch5dWZqq%2BsCeHACJRx4AJeQ3FYVYYn%2BsuBd485JI%0D%0ASZd%2BEOKS42%2FnpwfHF%2BEshtQ8RP%2FpyDHQp0YTEGFZc0xM8askt7DaPaFX02DSZZkm%0D%0AtSTKpAU60O1ph17dTLOm0lHXRkgXSWuyitmsj86erqU97A2rDLeS4EKiaGcG0n48%0D%0AYa4gKgBeFLp3%2BdOOkKHRUn39RWxNAR4CmSWlvy3ryRuXrQ6MphpRr2U%2BLfYrKbBP%0D%0A0Pug%2FGbNGOolifdxkQs%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzxCeK%2B0qp%0D%0A%2F5NWiGKSu5FnVN0UYV0oabRned7ygyJkk672CwdlK5UflK4F09H6LS6Bya%2Fyn9Fk%0D%0AVSg6Mbj6yXUL9ezG%2BVig%2BgpjA6F0OyqL9yyELLNhC504BGk3HHbDxmXYDO0BUpKg%0D%0AtasLV9K4w7nPVre6st7T80Kz8JVQwayJktMptHXc%2BsGkLYZf3uE8yi%2F9WS1jnZhS%0D%0A%2FmIE1JadIoOoS26xyVS8h07po5rF6KKMIBzXQKWqJfoFe8WleThNHtkb5Wwk5kGr%0D%0AX%2BVIkmt0YSID8DkeIvaiUr99rr91owmT4puHArcswc7dIAGl%2Fj0JvktoP2iRCGjX%0D%0AVEKNurAzbl6dAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAHKJ%0D%0A2n2fIhVoSbH6%2BsE5Lru6W1Qs7Ct5J5zi39B28B37bUl0GiH268RbuAGYCgZy5j51%0D%0ApPl4T6qZUgJWoXplePWXJucCrag3F%2FomHfqp3UvceHu3GvylNM3BRaRbSi4iL%2Fxy%0D%0AXQDGYBKHZ1oSVuZX42k%2FD3mvaYIRANrZxglDuD5%2B4PPfUgpKvH8mWimuxk3ZotRj%0D%0ARZOzKGcP6yAH%2FLU6cOIYK1J3BwouzroIAS3HSk3DMmC%2BrK%2B5EL5P3R3ckYmalODl%0D%0Ax7RgYkk5P9bZoSLsYCgYmRj8PuZEoOHMeavX9vuVUZsnkFXFUqBDNS%2FrlTW7II%2BB%0D%0AFzUyGMqCi9Z1YNeCC1M%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe0ywPjPrY%0D%0ATCPYsyTLZGb2PRlMAptwvBHxWIpPaEZqK7IFwpjYUOnrGOAhHV9ard8lXqKQ%2BFgL%0D%0AsJx1%2BJMZVdq3tL5I4lJ%2F5jyxJeaesxWhdBe%2F%2Bra6Nzq9Gi5W12BL2hvF1%2F0DCWXd%0D%0ATh38NnOtOo46FzkKIMB%2FF%2FH%2FlfzfiKgDqFA%2BJwCxZp%2FJR%2BsJ79l4BOXpyj80PFZI%0D%0AEqsVYtO0lJBUihuATh1mD1DdOizpvXK2b1o%2BYYpFEtpHYrd6MrBu9onglJq6LxoW%0D%0AU8JUoQt%2BE7vWN1p72pIHyEPKw56Ol4OtEUvCs1rKcwBFuOVX0zz2HIxmKR8Er8Zm%0D%0AV36L2cdXAq2nAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAHEn%0D%0AE%2FfhLrxKAqqjHtZVdIJxgpNVyFGxhy%2FToO0yBFqcigj4kQh7oq6lDWbgNyCX8dym%0D%0AGUmUO0oEFAIQu4nH0JlazSDKxOF8gLGpOpWbbQYZTBuKMmWMIfUf1CkMkIqgf2IW%0D%0AU2Ll2EIQHHduGDfBf3n2PdJpXodgATLqcHt3cT9m4izFafUrKZhyp%2B78X%2FmRghYk%0D%0A813XfAWJVTuGNFMhb8bsJjGVxTkhfG4Xz7z58UPiPloQheHRRv837hwsG%2FRYGRY3%0D%0AlKMxslVCi1o9GuWb6Wn6hmhTOzMtbSCgTTRSNkNR7BfK6WahfYUyvbIYWjdb5GWu%0D%0AW%2BvN%2ByCy3Ce6crcF640%3D&SubmitButton=Done
So NoScript is definitely helping, though I'm not sure why?


dslreports: 2nd vulnerability in Firefox 3.0.10: KEYGEN tag

TZO says, "POC relies on javascript.. see the document.form there ?".
Now what does this "document.form" mean & how is that JavaScript related?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Firefox vulnerability keygen tag VS NoScript

Post by Giorgio Maone »

therube wrote:Where are the scripts, I don't see any? (At least not at http://secdev.zoller.lu/ff_dos_keygen.html)

Code: Select all

onload="document.forms[0].submit()"
It's JavaScript, and it means that as soon as the page loads, the first form in the page gets submitted automatically.
NoScript prevents this script from running and therefore the form from being automatically allowed in a loop (otherwise, as soon as it's submitted, it gets loaded again and resubmitted).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Re: Firefox vulnerability keygen tag VS NoScript

Post by mik33mik »

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
Post Reply