I typed this up last night but forgot to post it:

Before I start this thread - I can't reproduce this on any Firefox instance I have access to, so I'm asking for help from people with Firefox handy for testing purposes. I'm in the middle of a really complicated architectural assessment and I randomly ran across some strange behavior in Firefox when looking at the way it parses certain URL structures. At first it looks like it's not interesting, just odd, but then I figured out a way to potentially use it to spoof referrer checks in very specific situations. First let me describe the behavior.

When I go to a URL like this: http://foo:bar@bank.com/ it will send the user credentials "foo" and "bar" to the bank. Firefox has long ago decided this is dangerous behavior. So first it will do a request to the URL as you click on it to decide if it needs basic auth or not. If not, it will pop up a warning that the site may be trying to trick the consumer. This was a common trick used by phishers a few years back. Okay, fair enough. But what if I just put the @ symbol there? Does it send anything?

Let's try something like http://@bank.com/. Well at first it looks like nothing happened. It just removed the @ symbol and took you to bank.com. No warning, no nothing. Same host headers. So it looks like it worked fine. But if you actually watch the referrers being sent to the images linked to the page you get to see some of the weirdest behavior I've ever encountered in a browser. Here's what the header will look like:

http://ank.com/

No, I didn't mis-type, it actually removes the first character. Okay, but what practical application could this possibly have? At first I couldn't think of anything until I started thinking about the way people surf the Internet. A lot of people type in things like "http://bank.com/" instead of "http://www.bank.com/" out of laziness/efficiency. Lots of webservers are configured to work on both domains too. There's also a situation where people write (in my opinion very sloppy) anti-CSRF code that looks for referrers of any of their sub-domains. The code would look something like this (psuedo-code):

if (($ENV{HTTP_REFERER} =~ /^http:\/\/[a-z0-9\-\.]*\.bank.com\//) or
($ENV{HTTP_REFERER} =~ /^http:\/\/bank.com\//)) {
//do something sensitive
}

If you look at the URL and look at what's possible it opens new avenues for potential referrer spoofing in Firefox. So I would simply need to register something like xbank.com and set up a URL for Firefox users to click on or be iframed like so:

http://@xbank.com/

I know what you're saying, "Wrong domain, idiot. And no referrer yet anyway!" Yes yes, but the index page of xbank.com then points to the anti-CSRF script on bank.com. That script then gets the wrong referrer (that of bank.com instead of xbank.com). Yup, pretty convoluted, but it would work in Firefox! I doubt this will find much actual use in reality, but there you have it. Just another browser oddity that could lead to exploitation. Granted I was unable to get this working anywhere else, but it was tested on Firefox 2.0.0.11 with a mess load of extentions. Can anyone re-create this?

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/30/2008 01:12PM by rsnake.

I was able to reproduce it with firefox 2.0.0.11 (many extensions installed), but not with firefox 3 beta 2 (no extensions installed).

276.331.422.841 - - [30/Jan/2008:12:10:49 -0800] "GET /templates/siteground25/css/template_css.css HTTP/1.1" 200 8043 "http://ww.netomix.com/" "Moz
illa/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

obviously I put in http://@www.netomix.com

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Weird... okay, so what plugins do we all have? Here's mine on the only machine I could produce it on:

Adblockplus (Easylist subscription)
Auto Copy
Chrome list
CustomizeGoogle (lots of customizations to remove the ads for the one time a month I visit Google)
Download Statusbar
Flashblock
Greasemonkey (and a few scripts, but it's disabled)
JSView
LocalRodeo (disabled)
NoScript (tested another machine with the exact same settings so I feel this one is unlikely)
QuickJava (Java turned off and JS turned on)
SafeHistory (disabled)
SwitchProxy Tool
Torbutton (turned off)
Web Developer (no special settings enabled)

- RSnake
Gotta love it. http://ha.ckers.org

My settings presently are:
Adblock Plus (highly customized list of sites)
Add N Edit Cookies
Chatzilla
Chrome List
CookieCuller
DOM Inspector
Firebug
Flashblock (turned off)
FoxyProxy (turned off)
Google Gears
Google Toolbar for Firefox (turned off)
Greasemonkey (turned off)
IE Tab
NoScript (turned off)
QuickJava
SwitchProxy Tool
TamperData
Torbutton
User Agent Switcher
VideoDownloader
Web Developer
XPath Checker


The bold ones are the ones we both have installed



Edited 1 time(s). Last edit at 01/31/2008 11:44AM by thornmaker.

DOM Inspector
Download Status Bar
Google Toolbar
Talkback

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

I don't think it's related to extensions. I can reproduce with firefox 2.0.0.11 with no plugins installed (I created a new profile).

[31/Jan/2008:20:37:22 -0700] "GET /wpress/wp-content/themes/chinared-10/images/kubrickfooter.jpg HTTP/1.1" 304 - "http://42.us/" 
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

[edit] I tried this with a couple of other linux instances and was able to reproduce this in both cases. the firefox 1.5.0.7 linux install has just a one extension (DOM Inspector), the 2.0.0.11 linux install has only the two defaults (DOM Inspector and Talkback).

 [31/Jan/2008:20:46:11 -0700] "GET /wpress/wp-content/themes/chinared-10/images/kubrickfooter.jpg HTTP/1.1" 200 3662 "http://42.us/" 
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20061013 Firefox/1.5.0.7" 

[31/Jan/2008:20:48:55 -0700] "GET /wpress/wp-content/themes/chinared-10/images/kubrickheader.jpg HTTP/1.1" 200 14902 "http://42.us/" 
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

What's your setup where it *doesn't* reproduce?


[edit 2] So you can whack more than 1 letter at a time too. If I enter into my url bar: http://:foo@p42.us/ then it my log file picks up:

[31/Jan/2008:21:07:06 -0700] "GET /wpress/wp-content/themes/chinared-10/images/kubrickfooter.jpg HTTP/1.1" 304 - "http://s/" 
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

Edited 3 time(s). Last edit at 01/31/2008 10:11PM by thornmaker.

Looks like a recursion issue:
http://lxr.mozilla.org/mozilla1.8.0/source/netwerk/base/src/nsURLParsers.cpp#497

wild guess though.

In any case: we now have a big problem:

hxxps://www.gmail.com%C0%AF%C0%AF%C0%C0%80@roguehost.com

which can be used to trick Firefox users to authenticate ssl on a rogue host.

look mom! it has ssl it's zecure!



Edited 1 time(s). Last edit at 02/02/2008 12:31PM by Ronald.

@thornmaker - I tried three different machines with three different setups and all three failed to give me the result, so I'm really unsure of why one would work and the others wouldn't. I tried to make them exactly the same. Maybe it's something else? I wish I could reproduce this.

@Ronald - I'm not sure what that last comment meant - I get the normal warning message that I'm getting tricked into sending credentials to another site.

- RSnake
Gotta love it. http://ha.ckers.org

That's actually pretty interesting, and I can reproduce it as well by visiting http://:foo@p42.us/ and seeing firefox send http://s/

Have you tried simply disabling or uninstalling extensions until you get it working, or as thornmaker did creating a new profile?

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

@RSnake

try E-gold that one allows wildcards:

hxxps://www.gmail.com%C0%AF%C0%AF%C0%C0%80@foo.e-gold.com

It first fetches the certificate form e-gold which it should never do, I can see multiple ways in exploiting this issue.

Another issue: we can also abuse domain name guessing:

www.gmail.com%C0%AF%C0%AF%C0%C0%80@hotmail

which lands on hotmail, or any other service.

Which it should, because hotmail is the host. The part before the '@' sign is the optional user:pass info.

@Ronald: the e-gold example still alerts me that this may be a user name trick (along with a ssl domain name mismatch warning). the hotmail example however worked without any alerts

@all: could the web server be responsible for some can reproduce but others cannot? I tested http://:foo@p42.us/ with apache 1.3.34 and 2.0.54 and both got the referer wrong. It looks like rsnake and ronald are both running apache2 so I'm guessing no... but i'm puzzled as to what else it could be.

@thornmaker:
It's probably not the web server, seeing as I see Firefox _sending_ the wrong referer, rather than Apache just recording the wrong referer.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

@dveditz

great, why does opera give me a warning (even without .com), while firefox doesn't? that puzzled me.

@thornmaker

yeah that is true, but it first fetches the certificates, which might cause issues. There are a couple of certificate mis-match browser issues in the past that allow different hosts to impersonate real hosts. --While this is hard to test since most browsers aren't vulnerable to it anymore-- I figured it might come in handy if it returns as such. Again, why doesn't Firefox warns me first while fetching the cert, it only warns me after it, and that doesnt seem to be proper behaviour, but again I might be wrong on this one.

Okay, bizarre - now I can't reproduce it at all... Gah! This is really frustrating. I have no idea what I changed (I don't think I changed anything). The only thing I can think of is that I switched ISPs, but I can't see how that would make any difference. Still no difference in every other machine that I have access to. None of them appear to be able to see the issue.

- RSnake
Gotta love it. http://ha.ckers.org

I setup a live log viewer/grepper that filters for one of the embedded images on the homepage of my site, h++p://p42.us/. You can access the log file at h++p://p42.us/kubrick.txt . I'll leave it up for a few days. So if you visit h++p://:foo@p42.us/ (Ctrl-R it if needed), then the log file should have a new entry.

And in case you're wondering, the log file only displays the referer and the requested page, nothing else.

[edit] For the record, it doesn't work for me when the link is clicked from an href, I have enter the URL into my URL bar, click enter, and then ctrl-r load the page to avoid caching.



Edited 1 time(s). Last edit at 02/05/2008 12:34PM by thornmaker.

Still didn't work for me on the same box that it used to work on. So weird!

- RSnake
Gotta love it. http://ha.ckers.org