MozillaZine

IDN Spoofing Issue

User Help for Mozilla Firefox
Hendikins

User avatar
 
Posts: 26
Joined: December 31st, 1969, 5:00 pm
Location: On a train

Post Posted February 7th, 2005, 7:46 pm

A Spoofing issue has been found in browsers that support IDN (International Domain Names). This includes Mozilla, Firefox, Konqueror, Safari and Opera.

<strong>Description</strong>
A malicious site author can register a domain with characters that resemble other commonly used characters. The browser will in turn show these in the URL bar, status bar, etc. <a href="http://secunia.com/">Secunia</a> has <a href="http://secunia.com/multiple_browsers_idn_spoofing_test/">a test available</a>.

<strong>Status</strong>
Unfixed, workaround available.

<strong>Workaround</strong>
This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (<a href="http://www.mozilla.org/products/firefox/releases/1.0.html#profilefolder">Common profile locations</a>).

Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
<pre>
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so</pre>


Note that you will have to repeat this edit if you install any themes or extensions, as compreg.dat gets regenerated.

<strong>More Information</strong>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=279099">Mozilla Bug 279099</a> - <strong>DO NOT COMMENT ON THIS BUG UNLESS YOU PLAN ON FIXING IT</strong>
<a href="http://secunia.com/advisories/14163/">Secunia Advisory</a>
<a href="http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/">Firefox spoofing flaw goes international</a> - The Register

<strong>Related Forum Threads</strong>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215178">Spoofing (IDN) vulnerability temporary solution (works 100%)</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215022">IDN browser exploit</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215171">All Browsers But IE At Risk To New Spoofing Scheme</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=215159">Notice another security issue with firefox</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214906">IDN Issue?</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214914">How to set enableIDN to false?</a>
<a href="http://forums.mozillazine.org/viewtopic.php?t=214828">Serious security issue -- phishing vulnerability</a>

Please discuss the issue here, rather than creating dozens of threads about the same subject.

Note: Information gathered from various sources both on and off the forums.
Last edited by Hendikins on February 7th, 2005, 11:02 pm, edited 5 times in total.

Tufriast
 
Posts: 5
Joined: November 3rd, 2004, 12:29 pm
Location: Mckinney, TX

Post Posted February 7th, 2005, 8:14 pm

Easy fix! And to prove it's fixed goto the secunia website and do the "test" they have setup.

The before comes up with the paypal.com spoof window. If you did the above trick right - then it will just say "cannot contact www.paypal.com".

I suppose there is a nightly build in the works to resolve this...
Don't sing it, just bring it.

Guest
Guest
 

Post Posted February 7th, 2005, 9:30 pm

I understand there is a nightly build in the works that should make for a better and
easier workaround. This won't resolve the underlying problem however.

It should have been possible to fix this by just switching off IDS in about:config.
Unfortunately the way this preference was initialised was found to be broken and
the fix didn't persist across restarts. This has been corrected in the nightlies I
believe.

A permanent fix that doesn't just turn off or disable IDS is likely to take longer.
The protocol itself is really at fault and some rethinking may be required.

AnonEmoose
 
Posts: 2031
Joined: February 6th, 2004, 11:59 am

Post Posted February 7th, 2005, 10:30 pm

Hendikins wrote:<edit>

<strong>Workaround</strong>
This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (<a href="http://www.mozilla.org/products/firefox/releases/1.0.html#profilefolder">Common profile locations</a>).

Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
[size=10]<pre>
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so</pre>
<edit>

Just bringing the following point some attention....

Isn't compreg.dat re-created anytime you install a new plugin/extension installed ? and wouldn't that overwrite the old file with the commented out line (not sure if FF respects the readonly attribute either, a la cookies.txt)... I haven't tested this as I haven't had the time and as i'm not really all that concerned with the IDN issue (based on my browsing habits)...

iwod
 
Posts: 1012
Joined: July 18th, 2003, 10:09 pm

Post Posted February 7th, 2005, 10:35 pm

Will there ever be an update to fix this? What happen to all thouse who doesn't know much about computer?

AnonEmoose
 
Posts: 2031
Joined: February 6th, 2004, 11:59 am

Post Posted February 7th, 2005, 10:42 pm

well i got a chance to test... and unless u make the file readonly the edit will be OVERwritten on new plugin/extension installation. also keeping readonly may prevent your newly installed extension/plugin from registering properly... SO... make sure reedit the file after extension/plugin installation....

Hendikins

User avatar
 
Posts: 26
Joined: December 31st, 1969, 5:00 pm
Location: On a train

Post Posted February 7th, 2005, 11:02 pm

Adding to sticky.

West

User avatar
 
Posts: 12
Joined: February 3rd, 2005, 1:44 am
Location: Amersfoort, Netherlands

Post Posted February 8th, 2005, 1:26 am

Ok, i have a ratger strange situation, I cannot seem to find the folder and file that need to be altered in my Mac Library. Any help, there is only one file a .shlb file. Any help with this?
!AMD Power

Vectorspace
Moderator

User avatar
 
Posts: 14455
Joined: November 27th, 2003, 4:50 am
Location: Warwickshire, UK

Post Posted February 8th, 2005, 2:05 am

The default Mac profile can be in ~/Library/Application Support/Firefox/xxxxxxxx.default/
or ~/Library/Mozilla/Firefox/Profiles/xxxxxxxx.default/
"All things being equal, the simplest answer is usually the correct one" - Occam's Razor
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0

Pike

User avatar
 
Posts: 2293
Joined: August 10th, 2003, 12:12 pm
Location: UK

Post Posted February 8th, 2005, 2:14 am

Another alternative is to grab a 1.0.1 tinderbox build where network.enableIDN works correctly (I've only confirmed it on the Windows build though):

ftp://ftp.mozilla.org/pub/mozilla.org/f ... ox-builds/

Windows = sweetlou-aviary1.0.1
Linux = madcow-aviary1.0.1
MacOS = imola-aviary1.0.1

n00tz
Guest
 

Post Posted February 8th, 2005, 2:39 am

there's a simple fix for those that wish to take care of it before an official patch/fix comes out.</p>

go to the about:config page and disable network.enableIDN (set to FALSE).</p>

I went back to the secunia page and it checked out.

Guest
Guest
 

Post Posted February 8th, 2005, 3:01 am

I only found 2 lines that contain IDN in them with the "Find" is this correct also, I use default theme with 4 extensions. Thank You in advance.

Captn

User avatar
 
Posts: 43
Joined: May 18th, 2004, 2:06 pm

Post Posted February 8th, 2005, 3:03 am

Anonymous wrote:I only found 2 lines that contain IDN in them with the "Find" is this correct also, I use default theme with 4 extensions. Thank You in advance.


Sorry this post is mine I was not logged in.

Nalle
Guest
 

Post Posted February 8th, 2005, 3:05 am

@n00tz:
No, it won't!
This is a bug i FireFox that makes your toggeling dissapear again if you close all instances of FireFox and start it again.

FireFox is now just as bad as when you first installed it

</nalle>

G'Dad
Guest
 

Post Posted February 8th, 2005, 4:15 am

In the FWIW catagory, there's this from the AP this morning:
http://apnews1.iwon.com//article/200502 ... UIRO0.html

The last part of which states:
""But Johannes Ullrich, chief technology office with the SANS Institute's Internet Storm Center, said scammers may focus on exploiting other flaws because IE remains dominant.
"Right now the one thing that will likely prevent them from using it is that Internet Explorer users will not be able to see the page at all," he said.""

So hopefully a fix will be in before too long, before "they" catch on.

Return to Firefox Support


Who is online

Users browsing this forum: Google Adsense [Bot] and 21 guests