Subscribe
Permanent Fix for the Shmoo Group exploit
It's been mentioned in the news and over at Boing Boing that there is an exploit common to non-Internet Explore browsers. Fixes have been posted for Firefox but they don't work. Below, I describe how to get your browser patched.
Exploit demo:
Go to http://www.shmoo.com/idn/
When you click on the link to paypal on that page it will give you a bogus result.
And if you try the link to the ssl paypal site it will even appear as if Firefox is in a secure site! You get the yellow address bar and the lock and everything. Pure evil.
Don't worry, this is only a demo.
About the exploit:
Basically this exploit takes advantage of a poor implemention of the International Domain Name specification. It doesn't work in IE because IE doesn't support that specification yet.
You can read more about Shmoo and what they know about homograph attacks here. If you look at that site and the Boing Boing site I linked to above, you'll find that they both contain information about how to patch Firefox. The trouble is, while the fix appears to work, once you close your browser and open it again, the patch does not take effect. Even if you go back and look at about:config you'll notice network.enableIDN is still marked 'False'. But if you try the exploit again you'll see it still works.
A little hack
Before we start, I should emphasize that while this patch worked for me on 2 Windows XP machines I can't guarantee it will work for you. The patch involves simply changing a text file so make sure you back it up before hand.
Here we go...
@mozilla.org/network/idn-service;1,{62b778a6-bce3-456b-8c31-2865fbb68c91}
You are going to change the 1 to a 0 so the line reads:
@mozilla.org/network/idn-service;0,{62b778a6-bce3-456b-8c31-2865fbb68c91}
UPDATE 2/8/05 8:02 AM PST
In the comments reader lionfire mentions that this fix isn't quite permanent because compreg.dat gets updated when you install an extension. I have just confirmed this. I'm looking further into how to make this permanent. Stay tuned!
UPDATE 2/8/05 9:53 PM PST
Mozillazine has a 'sticky' post at the top of their forum about this topic here. Currently their workaround are the same as what I posted here.
FYI- someone in the comments here asked about Mac and from the thread there on Mozillazine I saw The default Mac profile can be in ~/Library/Application Support/Firefox/xxxxxxxx.default/ or ~/Library/Mozilla/Firefox/Profiles/xxxxxxxx.default/
UPDATE 2/9/05 8:38 AM PST
I've written another blog entry containing a great work around using AdBlock. Much simpler than all of the above. Read it here.
[Category: firefox]
This entry was posted on Monday, February 07, 2005 at 9:25 PM.
6 Comments:
using firefox 1.0.6 i have edited the about:config file network.enableIDN and set it for false and also successfully edited the compreg.dat file. after having restarted the browser several times and re-booted the machine over the course of the last 24 hours (and having downloaded an extension upgrade) here's what i saw. the network.enableIDN setting did not change, still user set to false.
upon checking the compreg.dat file i saw that the 0 had been reset to 1. i reset it to 0 and checked the properties of the file to find they were set to archive. before saving the re-edited file i reset the file properties to read-only. i'll let you all know what happens in the next 24 hours.
The Desert Fox
By Anonymous, at 8:33 PM
the adblock filter is nice if you're planning on idn spoofing attacks using ONLY URL's with characters outside the normal ASCII range. overseas domains use special non-ascii characters that render the adblock scheme a partial fix at best. FYI.
By Anonymous, at 9:18 PM
network.enableIDN Boolean Determines whether to use IDN (International Domain Name) support (http://www.mozilla.org/projects/intl/idn_mozilla.html) in the browser
True (default): Enable IDN support
False: Opposite of the above
Note: In Firefox 1.0, this preference did not "stick" (see bug 261934 (https://bugzilla.mozilla.org/show_bug.cgi?id=261934)). Fixed in 1.0.1.
Upgrade your browser.
By Anonymous, at 8:03 AM
It is strange, but i think i dont have same problem as you - if i change just about:config, it works all the time.. and after restart firefox.
By Anonymous, at 4:34 AM
Type "about:config" into the address bar and hit return. Scroll down and look for the following entries: network.http.pipelining network.http.proxy.pipelining network.http.pipelining.maxrequests Alter the entries as follows: Set "network.http.pipelining" to "true" Set "network.http.proxy.pipelining" to "true" Set "network.http.pipelining.maxrequests" to some number like 30. This means it will make 30 requests at once.Lastly right-click anywhere and select New-> Integer. Name it "nglayout.initialpaint.delay" and set its value to "0". This value is the amount of time the browser waits before it acts on information it receives. If you're using a broadband connection you'll load pages MUCH faster now!
By Anonymous, at 9:02 AM
hi...i am not a schmoo, at least not yet. first i'd heard of you guys/gals. however, i heard firefox/moz. was hacked and they can even get into macs now, though i have a pc
am looking for the patch if there is one. disabling the schmooz thingy seems moot for me since i am not a member of that club.
pls advise, obviously a non tech in gainesville, fl
By Anonymous, at 1:11 PM
Post a Comment
<< Home