InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Firefox vulnerability keygen tag VS NoScript

https://forums.informaction.com/viewtopic.php?t=1491

Page 1 of 1

Firefox vulnerability keygen tag VS NoScript

Posted: Fri May 29, 2009 10:40 am
by mik33mik
http://blog.zoller.lu/2009/04/advisory- ... rvice.html

When I click the done button in the poc page, the attack is successful, even if noscript blocks all the script in that page.

Re: Firefox vulnerability keygen tag VS NoScript

Posted: Fri May 29, 2009 10:54 am
by Giorgio Maone
Not exactly.
Half of the "PoC" (key generation) works, because the keygen element is designed to work without scripts.
However the part where he forces the form to be submitted in the onload event, causing an endless loop (the form gets submitted and the keygen process restarts) fails, because scripts are forbidden.
I could easily close the offending tab by positioning the keygen dialog over the tab close widget and quickly clicking both in sequence.
It's far from a serious issue, however I could add a check for multiple keygen elements on document load and remove the redundant ones.

Re: Firefox vulnerability keygen tag VS NoScript

Posted: Fri May 29, 2009 2:52 pm
by therube
Quick fingers you've got there ;-).
Took me a number of times to them both closed. (Sometimes the dialog would move & stay, other times it would recenter itself.)

Though nevertheless & oddly it seemed to "timeout" on its own, so even when I didn't get them closed, I still regained functionality. (SeaMonkey 2 & FF3)
fails, because scripts are forbidden
Where are the scripts, I don't see any? (At least not at http://secdev.zoller.lu/ff_dos_keygen.html)

If NoScript is installed, the POC does not start until you click the Done button.
If NoScript is not installed, the POC starts as soon as you click the link.

If NoScript is not installed & you do not attempt to close the dialog box, it simply runs continuously.

Further if NoScript is not installed, I do not get the "timeout", though if you have attempted to close the dialog, I do eventually get an Unresponsive script warning. (The "location" of the warning may vary.)

Code: Select all

Script: file:///T:/FIREFOX/SEA20/components/nsSessionStore.js:363
Script: file:///T:/FIREFOX/SEA20/modules/XPCOMUtils.jsm:260
Even though you reply to not continue the Unresponsive script warning, it does continue. But at that point, some time later with a bit of clicking here & there (Ctrl+W <close Tab> may help too), you are able to break out.

(When the "timeout" occurs) the URL ends up being huge:

Code: Select all

http://secdev.zoller.lu/ff_dos_keygen.html?somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZPz%2Ft2LH8%0D%0AMTN89CVe8RfjjVhkm%2Fx2bmdEJmWrEnJw4Wxl4rGAMmT7C92pGCKydxP%2FCEsDnQvY%0D%0AdbMEL7MtZjpiFtJVUaEoAGgw54SWzKNOWTpYKzGW9tQOchRHPFM80zZAnME%2FOO1j%0D%0AEDFfKAWyysOpk15YOcG8QSwthHqTVsD27tdKRWq27Aczg6VpAa%2FqlUCi3awu8dzH%0D%0AwLvld11JxRuoK5d0uZiHaAuDw8hKWr9Mns6CdfzxNq0e4YTiHqJjekwramr3l%2Fnf%0D%0A5dKGUontgSpgrs1FR%2Fars6TtndWew9WwB8%2Bk%2BHWXT%2FpBnKU2ADBe%2F8rAI3nRkDc1%0D%0Ag0C1ksK1YkclAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBALGl%0D%0AiuAdsddxMBLM00TpcGFZIx5qIHqjSOQ5Az9qeEw33kqTrnUO0cNd8zFHAD4Daosm%0D%0AYFn%2BnL%2Fj5gto9LXjdcPtJVigpCV%2BaGXthjXYtijq0ttWvzGBfWoDGRuGYkk9PlZK%0D%0ASiODDlnkbnyOrFnpDQH3ViVusqqzR6Cv7ztG8gYTgMk%2BQoPcIlhdNlF9x2TOsG2g%0D%0A51IChqFf5r0gZ%2BnDRH4acacu1MlpwQJvRxsh81bGvwh7n2Zk5jEWp%2B186kTPCzrt%0D%0AUAKdFXj5%2FpqHuJRF7EIR%2BdnnDuW1p4gafFkxIqMNX8Vg496oAVitIhCYYrYf7tRd%0D%0AWhmvBA7EASXdEttuUXE%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7pa9eVzwo%0D%0A6%2BtdncaV%2BjEzjR8aCbPM9tvQJCydifQpCAPcxanE7M7RNnKu4X0O09qiPnc9gz3G%0D%0AtbCodOrXaTbX24DXswDk1Tm0Ag9JYQLb7k%2FVk1asPKm1OgvCC5FZ60wkpLYZSt%2Fh%0D%0A59YCAeQQS3Z638r2dsCBUSZ0v8klZfTW2ujdn5M2JE0INJvK%2FYMEDHt4H19mMBFr%0D%0AKoulcUr3B%2F5VTMX7zhYP10kSGNK34rxcn6F9ToREI67qTgOUUZYWzmHy8jnXeRS3%0D%0Afom%2F9NEu7%2FjYZeO88mKx7Vt9xa1NM1UIY7zjyoCsOXzsChsVlqEnYFVqRqIe8V02%0D%0AUfQt2yW3wxGZAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAA66%0D%0Av586hhGTQzORUgoNvXO8wyY6ccKzTx4f0U4rInlnn%2BtsZlHNYMBbLY%2BppWEGwyqX%0D%0A5PkNAXutJu9tdc1VxTzpZy6dLUnenacjfPTJDGckCOoYas%2BoD1x3V8iNzfEKGb%2Bv%0D%0AnBhy4g3Y2lnsvcjAIFiUzKaFIUuPnc4L%2FD87dTTJ%2Fjd5z9mecNV7Utd4Sg60qvFC%0D%0ASDEPPZIFi1%2FwJjmZlIk6uLz5ws0RNzewKIVSKMQCIy9CFMIoUJIRxv6jIUcj1guJ%0D%0AvLApcpJLvFf2GGGhkeeRFdG6VMsubugfiDuH3nuBFAhczQiQcsG9Hj8z7a4oZjBW%0D%0Ac%2FrFrgzQzcHRMQwkAMg%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDptXa2OXOD%0D%0ApXEHI5hIxjfN9t4ZvZ120bkhL5EL3fsD%2Fnd8gB2rrMwCa2MW70QS0dVPNsXohiFQ%0D%0AQwC7RwCiUB2bVSSAcHFowfLRakIBF0loHEq9MExdyXFUqP5EiWeLERjvl0jxFWKd%0D%0ARus7OgbBtcP638fBKLLZaQGqeGGI7HcxQPyUWqsOCsb4ljHsO8Z9s1i%2FxYQMpuut%0D%0Aa9wBu%2BK1mQC9kGr1yMwZjtSqMX8BpY9ZJ98kfdQX5pxfcoaJ2VezplKlsOC3FRCD%0D%0ALiQJZ%2FK3Ac0DGnaG4rLJzA0R2o96IoU6KKJgEo8fPOsclJRaYsPqk8zDE3Uvyos7%0D%0A90KatxKkq2jnAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAHWO%0D%0AQE4zp6Y%2BNv6zS7y3CKy9ZkTJTwTR4aLbTM0llvP65lN1KJjnzath2Ly1SXMLzoCO%0D%0AMTXwoop%2FNKNrdDDYoA5Gy27PA%2BRv6XNmTSh%2FoHmIloYiTCbviyUjokKRKBZiPkXM%0D%0AIpHdSGWYV1ogzCq2RuINfszPci%2FA7EcLN68IZhrM1%2BmyALj04GfQnNk8eD34yRsN%0D%0AGbYngZME6M8Laa4M20m9WRF3CBqNGubU71i%2B7dPJdsw9CQKGCVZQ43Ezkm%2BvT4Pd%0D%0AD63%2Fa1IQ83l6w%2FgjquhIbPbf7d6o2ayfgnawwXuR452McERgkRdezVFwuy2yDztu%0D%0A5xXgpKQIpFh9XJrU%2FnE%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkulqPRW5Z%0D%0A69WliVJCKDfViKEMHaWN3zE46SFMXM6cx%2Fd6pXVQu1NLzCFGIMVMQQWalCvYRlTg%0D%0ACcSnzuUytAPwrAbpW%2FWHnaH5OiPH4oPNDAfJQherQC0qaB4BzvXrTUenmD996HMG%0D%0AO2%2B%2BjOs5tQjLEjhBbotcyGo9O%2Fye6N5Du8jq6RFDmRjhvzYL6pI5WiguGlVGsZ%2Ba%0D%0ASHZEI4ovwWaiOYMrP3uVu4fhFOU16PIlVgneFijIz7Xs%2BPUM5dnz2AyXwxL8Cyft%0D%0Aeke3ePGrbdtbyjOE5NAYJwkoqKojUs5dfe7bPPabwfsiMju%2BwUxo6XvqTcY2xKwh%0D%0Aiah8oZYwkTnZAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAGIX%0D%0AkPVIG%2BnHGc%2Frm9d0xg%2FsudNOnQ0DKNTvci6xubK0Ln%2BveSS0yPrl1pBjcQ%2BvmBoi%0D%0A%2B4yQKuYjVEZx3G4dWbonvSuRqWBHsjc9v791dSmJoHJM2JQqqh9Yk4CexVlxBHCZ%0D%0AObzLYElFPDN3hAuD9dHqlzGBf2puQnZ5De1slivHRphF1lYPAsz06bOmcH3sriGJ%0D%0AGc9F5R%2FxLBTE6DPx6Q0fDhWniynpmm4dm1VMNKxgP0X8%2FZgeDWA8UOwmj4mhtjyX%0D%0AOn6EL%2FOIfWEpTlVQ4AGMH9lcwy8kFyTBEiUbatUVKYwnryNHzejsUYXeRsXzwXG2%0D%0AV2rsT2MiMLTGfuqo%2F9M%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6IvWIXR6W%0D%0AJnyRV%2BT4oaxTlpwy5d1z4%2BwXg81qutun%2BhUxy3ipOFjBfaWqz4dwT%2BFrqduy%2ButR%0D%0Ayrq6yFOaQC8pRDzFWs3m%2FjzdEdGdbLRSKfUMZVdQtLHze2PlBmClDvflFqQm1r5D%0D%0AKwTkTblJG%2BnuTa9XfVxRybEUCGnrv3YywyL39NUiBjhJXQHITl6%2B%2Fr6qcurYp49s%0D%0ArDW17QCrWqiMY2JYk6Q6qYO7tJWmVyaTT3V7McLXu9f7RVMfmEGNcsAOxzOXmfVS%0D%0A1uHUh3FB28GWGEkgOlIL83wPIuvBOfm%2FY1b64d%2BIqfk9LnQqLWzUqoTson5n3Pa%2B%0D%0A%2BBB7dFgjQ8urAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBALIi%0D%0AQJqvg2WNctd35xnE5z9zURUgeo%2BX%2BtwVc7PNt9LViZ%2BrYXgqMru8Iz%2BEY62hbkYd%0D%0AJk0qukDs0c3bAU7d8BSMxZhqTxA%2BboAL7ZJNRWox%2Fspou9krIdNSRdvaWSSNrOal%0D%0AOF0CxrwZ4CpaKPeq2njGeydjWeublHfzd9Om7XVtsEM6UPNeHA%2FTQReoVNnnlGUF%0D%0Ai6yaWqyQ5lh3r5sY8ms%2FZfw%2F9atBtRBqSqwcsuf1J0iNb7kVuMa%2FFyxHWGg09qK9%0D%0A3XIwPgVy6MXIOXfvy65i2G2biTNiOFcRBV7ZXPjEKTctyZiWj7EyndTfhPiKnmoa%0D%0AgQKAven8%2FaBeVfM6GEA%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrRvbBZtGW%0D%0An3T20UjqKjpQTyjNvFY%2FpRGNbqSvMXJhDW%2Bn2nc430%2B%2FWgcT%2BRbP6JSVM2dJRJ%2Fi%0D%0AJKm3l8IoPe2vsXES8VuHL5D5iVUjT4pc9ivDFLTjhwS4wQp7pnGFFzB3DeXadgsX%0D%0AwmanbyR117du1fGSv6JuI3adescGgCco6z0%2FOX5JwArkdPj0W3QCIPvc9RxlLzK9%0D%0ADskI7CF%2FuLvSS2oq4hNaQ%2BgmNAoWpfPWs%2F2%2FTCIXSG5YneeDcoSO8tI%2FGw39Ptns%0D%0Avyi9C70Xj0k6SbRwGb9mafRk452%2Fkr8Izvm%2FCNHecxdSdmm%2BoLB2GRrejokI0KOE%0D%0Ajd5N9kmtHQftAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAJ3o%0D%0A9r1lkFPSLLbirk%2Fkph5AK4g3kwnFOuHb2Ppqd12VdoolFbVK3b3EHjiEhGuwPYTl%0D%0AdWRgux8mj9Qvm3SOJQMNOqruch5dWZqq%2BsCeHACJRx4AJeQ3FYVYYn%2BsuBd485JI%0D%0ASZd%2BEOKS42%2FnpwfHF%2BEshtQ8RP%2FpyDHQp0YTEGFZc0xM8askt7DaPaFX02DSZZkm%0D%0AtSTKpAU60O1ph17dTLOm0lHXRkgXSWuyitmsj86erqU97A2rDLeS4EKiaGcG0n48%0D%0AYa4gKgBeFLp3%2BdOOkKHRUn39RWxNAR4CmSWlvy3ryRuXrQ6MphpRr2U%2BLfYrKbBP%0D%0A0Pug%2FGbNGOolifdxkQs%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzxCeK%2B0qp%0D%0A%2F5NWiGKSu5FnVN0UYV0oabRned7ygyJkk672CwdlK5UflK4F09H6LS6Bya%2Fyn9Fk%0D%0AVSg6Mbj6yXUL9ezG%2BVig%2BgpjA6F0OyqL9yyELLNhC504BGk3HHbDxmXYDO0BUpKg%0D%0AtasLV9K4w7nPVre6st7T80Kz8JVQwayJktMptHXc%2BsGkLYZf3uE8yi%2F9WS1jnZhS%0D%0A%2FmIE1JadIoOoS26xyVS8h07po5rF6KKMIBzXQKWqJfoFe8WleThNHtkb5Wwk5kGr%0D%0AX%2BVIkmt0YSID8DkeIvaiUr99rr91owmT4puHArcswc7dIAGl%2Fj0JvktoP2iRCGjX%0D%0AVEKNurAzbl6dAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAHKJ%0D%0A2n2fIhVoSbH6%2BsE5Lru6W1Qs7Ct5J5zi39B28B37bUl0GiH268RbuAGYCgZy5j51%0D%0ApPl4T6qZUgJWoXplePWXJucCrag3F%2FomHfqp3UvceHu3GvylNM3BRaRbSi4iL%2Fxy%0D%0AXQDGYBKHZ1oSVuZX42k%2FD3mvaYIRANrZxglDuD5%2B4PPfUgpKvH8mWimuxk3ZotRj%0D%0ARZOzKGcP6yAH%2FLU6cOIYK1J3BwouzroIAS3HSk3DMmC%2BrK%2B5EL5P3R3ckYmalODl%0D%0Ax7RgYkk5P9bZoSLsYCgYmRj8PuZEoOHMeavX9vuVUZsnkFXFUqBDNS%2FrlTW7II%2BB%0D%0AFzUyGMqCi9Z1YNeCC1M%3D&somekey=MIICSjCCATIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe0ywPjPrY%0D%0ATCPYsyTLZGb2PRlMAptwvBHxWIpPaEZqK7IFwpjYUOnrGOAhHV9ard8lXqKQ%2BFgL%0D%0AsJx1%2BJMZVdq3tL5I4lJ%2F5jyxJeaesxWhdBe%2F%2Bra6Nzq9Gi5W12BL2hvF1%2F0DCWXd%0D%0ATh38NnOtOo46FzkKIMB%2FF%2FH%2FlfzfiKgDqFA%2BJwCxZp%2FJR%2BsJ79l4BOXpyj80PFZI%0D%0AEqsVYtO0lJBUihuATh1mD1DdOizpvXK2b1o%2BYYpFEtpHYrd6MrBu9onglJq6LxoW%0D%0AU8JUoQt%2BE7vWN1p72pIHyEPKw56Ol4OtEUvCs1rKcwBFuOVX0zz2HIxmKR8Er8Zm%0D%0AV36L2cdXAq2nAgMBAAEWCjExMjU5ODMwMjEwDQYJKoZIhvcNAQEEBQADggEBAHEn%0D%0AE%2FfhLrxKAqqjHtZVdIJxgpNVyFGxhy%2FToO0yBFqcigj4kQh7oq6lDWbgNyCX8dym%0D%0AGUmUO0oEFAIQu4nH0JlazSDKxOF8gLGpOpWbbQYZTBuKMmWMIfUf1CkMkIqgf2IW%0D%0AU2Ll2EIQHHduGDfBf3n2PdJpXodgATLqcHt3cT9m4izFafUrKZhyp%2B78X%2FmRghYk%0D%0A813XfAWJVTuGNFMhb8bsJjGVxTkhfG4Xz7z58UPiPloQheHRRv837hwsG%2FRYGRY3%0D%0AlKMxslVCi1o9GuWb6Wn6hmhTOzMtbSCgTTRSNkNR7BfK6WahfYUyvbIYWjdb5GWu%0D%0AW%2BvN%2ByCy3Ce6crcF640%3D&SubmitButton=Done
So NoScript is definitely helping, though I'm not sure why?


dslreports: 2nd vulnerability in Firefox 3.0.10: KEYGEN tag

TZO says, "POC relies on javascript.. see the document.form there ?".
Now what does this "document.form" mean & how is that JavaScript related?

Re: Firefox vulnerability keygen tag VS NoScript

Posted: Fri May 29, 2009 4:11 pm
by Giorgio Maone
therube wrote:Where are the scripts, I don't see any? (At least not at http://secdev.zoller.lu/ff_dos_keygen.html)

Code: Select all

onload="document.forms[0].submit()"
It's JavaScript, and it means that as soon as the page loads, the first form in the page gets submitted automatically.
NoScript prevents this script from running and therefore the form from being automatically allowed in a loop (otherwise, as soon as it's submitted, it gets loaded again and resubmitted).

Re: Firefox vulnerability keygen tag VS NoScript

Posted: Thu Feb 18, 2010 10:23 am
by mik33mik
Related bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=546308
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited