LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-04-2019, 05:14 PM   #1
Slackware_fan_Fred
Member
 
Registered: Oct 2018
Distribution: Slackware64-14.2 Multilib
Posts: 99

Rep: Reputation: 31
Exclamation Firefox is unsafe?


This was suggested to me by Chrome for Android, Thanks Google. Why have Mozzila NEVER fixed it is beyond comprehension? it is a 17 year old bug.
https://securityaffairs.co/wordpress...ata-theft.html
 
Old 07-04-2019, 05:33 PM   #2
greencedar
Member
 
Registered: Sep 2018
Location: Missouri / Taiwan
Distribution: Ubuntu 18.04 Bionic Beaver & Linux Mint 19.1 Tessa
Posts: 462
Blog Entries: 1

Rep: Reputation: 28
The author of the article stated:

Quote:
The expert also shared details of its PoC and a video PoC of the attack. Tawily explained how an attacker can easily steal secret SSH keys of Linux victims if they save downloaded files in the user-directory that includes SSH keys in its subfolder.
Very interesting article.
 
Old 07-04-2019, 06:00 PM   #3
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,494

Rep: Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789
Quote:
Originally Posted by Slackware_fan_Fred View Post
Why have Mozzila NEVER fixed it is beyond comprehension?
Looks like the concern was compatibility, https://bugzilla.mozilla.org/show_bug.cgi?id=803143#c7:

Quote:
Originally Posted by Boris Zbarsky, in 2012
Chrome has a very restrictive file:// security policy: every single file is a different origin. This unfortunately breaks a lot of use cases (e.g. HTML documentation).

We have a security policy where a file can only access things in the same directory or subdirectories. This works fine as long as you don't dump unrelated things in the same directory...
https://bugzilla.mozilla.org/show_bug.cgi?id=803143#c28

Quote:
Originally Posted by Daniel Veditz, in 2019
The current file:/// behavior was an intentional choice that at the time was much stricter than the primordial status quo. The world has moved on and webkit/chrome has shown we can get away with strict unique origins now (bug 1500453).
 
1 members found this post helpful.
Old 07-04-2019, 06:51 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,465

Rep: Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160
To me it reads that if a Firefox user does several consecutive unwise actions, they might be vulnerable...

Still, the dissemination of information about the issue is appreciated.
 
1 members found this post helpful.
Old 07-04-2019, 08:25 PM   #5
Slackware_fan_Fred
Member
 
Registered: Oct 2018
Distribution: Slackware64-14.2 Multilib
Posts: 99

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by scasey View Post
To me it reads that if a Firefox user does several consecutive unwise actions, they might be vulnerable...

Still, the dissemination of information about the issue is appreciated.
That's what I picked up, but according to the article it could happen whithout the user doing anything wrong.

-- An attacker could successfully carry out the attack by tricking victims into downloading and opening a malicious HTML file on the Firefox web browser and into clicking on a fake button to trigger the exploit.

“Tawily told The Hacker News that all the above-mentioned actions could secretly happen in the background within seconds without the knowledge of victims, as soon as they click the button place carefully on the malicious HTML page.” continues The Hacker News
 
Old 07-04-2019, 08:30 PM   #6
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 15,218
Blog Entries: 25

Rep: Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335
Quote:
An attacker could successfully carry out the attack by tricking victims into downloading and opening a malicious HTML file on the Firefox web browser and into clicking on a fake button to trigger the exploit.
I would think that the browser is an independent variable in a situation such as this. If a phish is going to take the bait, any hook will do.

There is no good defense against stupid.
 
Old 07-04-2019, 08:33 PM   #7
Slackware_fan_Fred
Member
 
Registered: Oct 2018
Distribution: Slackware64-14.2 Multilib
Posts: 99

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by frankbell View Post
I would think that the browser is an independent variable in a situation such as this. If a phish is going to take the bait, any hook will do.

There is no good defense against stupid.
Yes but this “Tawily told The Hacker News that all the above-mentioned actions could secretly happen in the background within seconds without the knowledge of victims, "

From what it sounds like to me "Secretly" means it is not visable to a user.
 
Old 07-05-2019, 06:17 AM   #8
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,494

Rep: Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789
Quote:
Originally Posted by Slackware_fan_Fred View Post
That's what I picked up, but according to the article it could happen whithout the user doing anything wrong.

-- An attacker could successfully carry out the attack by tricking victims into downloading and opening a malicious HTML file on the Firefox web browser and into clicking on a fake button to trigger the exploit.

“Tawily told The Hacker News that all the above-mentioned actions could secretly happen in the background within seconds without the knowledge of victims, as soon as they click the button place carefully on the malicious HTML page.” continues The Hacker News
"Anything wrong" is a bit ambiguous and up for debate. You could say what they did wrong is to download the malicious HTML page in the first place. But you could also argue they couldn't have known it was malicious, and downloading an HTML page is not wrong.
 
Old 07-05-2019, 08:13 AM   #9
Guttorm
Senior Member
 
Registered: Dec 2003
Location: Trondheim, Norway
Distribution: Debian and Ubuntu
Posts: 1,333

Rep: Reputation: 362Reputation: 362Reputation: 362Reputation: 362
I was just curious so i tried it. Put any html file in your home directory, and inside it put for example <iframe src=".ssh/known_hosts"></iframe>. Both Firefox and Google Chrome showed my file when I open it in the browser. So it's not only Firefox.

They both deny .. in the path. For this to attack to work, I have to move the file from the Downloads directory to my home directory.

I understand files are used in a lot of cases, like documentation. So denying files and subdirectories would break a lot of things.

But couldn't they deny all files/folders with a . prefix or something?
 
1 members found this post helpful.
Old 07-05-2019, 11:13 AM   #10
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,465

Rep: Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160
Points taken about the possibility that the malicious html file might be downloaded "in secret" -- but I'm going to stick with the opinion that putting a downloaded file in your home directory is, in fact, unwise.

Again, we wouln't have known that is unwise without this discussion.
 
Old 07-05-2019, 08:13 PM   #11
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,494

Rep: Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789Reputation: 1789
Quote:
Originally Posted by Guttorm View Post
I was just curious so i tried it. Put any html file in your home directory, and inside it put for example <iframe src=".ssh/known_hosts"></iframe>. Both Firefox and Google Chrome showed my file when I open it in the browser. So it's not only Firefox.
I think the problem is not so much about showing the file to you, but allowing JavaScript code to influence the display and/or read the data.
 
Old 07-20-2019, 09:35 AM   #12
Slackware_fan_Fred
Member
 
Registered: Oct 2018
Distribution: Slackware64-14.2 Multilib
Posts: 99

Original Poster
Rep: Reputation: 31
Mozilla finally fixes the bug.
https://latesthackingnews.com/2019/0...of-firefox-68/
 
Old 07-20-2019, 03:50 PM   #13
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,465

Rep: Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160
Quote:
Originally Posted by Slackware_fan_Fred View Post
Hmm. Gotta wonder if this thread helped...ver 68 is only a few days old.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: OSVDB Shuts Down, Firefox Add-ons Unsafe & More… LXer Syndicated Linux News 0 04-09-2016 10:24 AM
LXer: New Firefox Plug-In Double-Checks So-Called Unsafe Sites LXer Syndicated Linux News 0 08-29-2008 12:40 AM
Network+soundcard not recognized after an unsafe shutdown tehnick Slackware 4 06-05-2004 02:08 PM
How safe/unsafe is Xvesa? hyper guy Linux - Newbie 3 03-24-2004 07:57 AM
allowing IP traffic on firewall - unsafe? complus Linux - Security 4 09-04-2003 03:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration