IDN Spoofing Issue

[Mini-Geek]

it does not look like the sample suggested for the fix of the problem -- line starts with @Mozilla rather than the sample showing { .......}, @ Mozilla
What do us tech illiterates do?

comment out any lines that have "idn" in them

Using wordpad, when I find the file compreg.dat to edit by placing # in front of the line with IDN, the top of the file says "Generated file-do not edit "

you can just not edit it, or you can be protected against a malicious site spoofing the URL, you choose (I chose the latter)

[Old RPGM35]

couldn't you also delete the line? or would that cause problems, i'm using the adblock thingy right now

[Pail]

I could only find 1 line in compreg.dat and removing it did not fix the problem.
Using Adblock works for me.

WinXP SP2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

cheers, Pail

[KevinMillican]

Any way to make the compreg.dat file keep the changes? As soon as I install an extension, it removes the changes.

Nope. The file is regenerated, and setting it read-only would cause problems with extension installations.

If you use the Adblock method, you don't have this hassle. It is also probably easier to implement for the less-techie user. Are there any disadvantages you can think of ?

[GreenAlien]

If you use the Adblock method, you don't have this hassle. It is also probably easier to implement for the less-techie user. Are there any disadvantages you can think of ?

Yes your adblock/regex method of filtering out non-ASCII chars has been working well for me this evening.

I tried playing with some of the advanced Firefox options (about:config), such as network.standard-url.encode-utf8 among others but nothing fixed the vulnerability.

I'm happy with Kevin's workaround until the Firefox crew roll out a security update.

..Ant

[../frank]

Any way to make the compreg.dat file keep the changes? As soon as I install an extension, it removes the changes.

Nope. The file is regenerated, and setting it read-only would cause problems with extension installations.

If you use the Adblock method, you don't have this hassle. It is also probably easier to implement for the less-techie user. Are there any disadvantages you can think of ?

There is a ./components/compreg.dat in the FireFox installation directory. I believe it's the one copied into your profile. You could try making the fix to that.

DISCLAIMER: I haven't tried this, but I would try it if I wanted to install an extension or change themes.
ALWAYS BACK UP CRITICAL FILES BEFORE EDITING THEM.

[Gralfus]

I tried it and though the ./components/compreg.dat file remained edited (used notepad so I didn't alter the format of the file), the version in the profiles area is still altered to be enabled after installing an extension. I wonder what controls that setting?

[meoffg]

A simpler way of fixing this is as follows :-

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/m ... dows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.

This fix works and is way simple to load.

[Spewey]

Quit panicking. There are two things going on here:

1) IDN allows potentially confusing names if a registrar approves but Firefox handles them correctly
2) turning off IDN accidentally got broken in Fx 1.0 and when it gets fixed it won't change #1 but Mozilla seems to be attempting to code some sort of warning mechanism because they want it to work properly for all IDN users yet protect all users from registrars' idiocy

The only reason this is news is because somebody registered xn--paypl-4ve.com

Nothing is about to eat any of your babies. Just relax.

[Ken Cooper]

A simpler way of fixing this is as follows :-

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/m ... dows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.

I don't how you think this works, but don't fool yourself, because it won't.

Code: Select all

http://www.paypаl.com/
http://www.payp & # 1072 ; l.com/

Adblock does not prohibit you from clicking on a link - even if you target the " ; " symbol.

[GreenAlien]

Ken,

"won't" or "doesn't" ? - Have you actually tried it yourself?

It appears to work fine for me with the test at:
http://secunia.com/multiple_browsers_idn_spoofing_test/

If you have experienced otherwise feel free to post the steps.

..Ant

[Ken Cooper]

Ken,

"won't" or "doesn't" ? - Have you actually tried it yourself?

It appears to work fine for me with the test at:
http://secunia.com/multiple_browsers_idn_spoofing_test/

If you have experienced otherwise feel free to post the steps.

..Ant

Take your pick either way that filter is ineffective. I don't have to try it, because of what I stated in my previous post.

The best solution to this IDN vulnerability until a permanent fix is in place, is to actually type the link into your address bar when visiting a financial or personal website.

[Old RPGM35]

says i'm vunerable using the adblocklink, yet i cant click the test link

[GreenAlien]

says i'm vunerable using the adblocklink, yet i cant click the test link

Assuming you've applied the adblock/regex workaround, clicking on any link containing non-ascii chars will do nothing.

[KevinMillican]

I don't how you think this works, but don't fool yourself, because it won't.

Code: Select all

http://www.paypаl.com/
http://www.payp & # 1072 ; l.com/

Adblock does not prohibit you from clicking on a link - even if you target the " ; " symbol.

'& # 1072 ;' in the URL is the unicode character number of 'Cyrillic Small Letter A'. Here's one in the link to the page at the Secunia site - <a href='http://www.paypаl.com'>http://www.paypаl.com</a>

Strictly speaking, this isn't even a spoof; it only looks like a PayPal address because the font character for the 'Cyrillic Small Letter A' looks just like a normal 'a'. What you see is really what you get if your browser requests the 16bit unicode URL properly.

The AdBlock method works because when you request the URL, Firefox converts the html URL to 16bit unicode. At that point AdBlock detects the match against the regular expression (ie. the URL has a character outside the range ASCII 32 to 255) and prevents you from loading the page. When you click on the link with the AdBlock filter installed, nothing happens at all. However, as I mentioned in my post, you have to tick the AdBlock 'Site Blocking' option for it to work.

If you look at the 'Advanced Options' of Internet Explorer, it appears that the only reason it is not vulnerable to this type of exploit is because there is an option called 'Always send URLs as UTF-8 (requires restart)' that is ticked by default. The URL requested does not get sent as 16bit unicode so it can't match the target description, and this is why you get a 'page not found' error.