This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

February 20, 2013

Firefox: HTTPS and response code 407

Today's release of Firefox 19.0 fixes an interesting bug that I reported to the vendor back in October 2012. In essence, an attacker on an untrusted network could first coerce the browser to use a rogue HTTP proxy (this can be done by leveraging the WPAD protocol); wait until the browser attempts to download a HTTPS document from an interesting site through said proxy; and then selectively respond to the appropriate CONNECT request with a plain-text message such as this: HTTP/1.0 407 Boink Proxy-Authenticate: basic Connection: close Content-Type: text/html <html> <h1>Hi, mom!</h1> <script>alert(location.href)</script> [...additional padding follows...] The browser would show the user a cryptic authentication prompt - but hitting ESC or pressing cancel would inevitably result in the proxy-supplied plain-text document being rendered in the same-origin context of the requested HTTPS site. There goes the transport security - so I guess that's an oops?:-)

7 comments:

  1. David Lin-Shung HuangFebruary 20, 2013 12:41 PM

    I wonder if any other 4xx/5xx codes are still vulnerable. (This really shouldn't happen, see Section III.A of a 2009 paper http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf)

    ReplyDelete
  2. kuza55February 20, 2013 12:47 PM

    Huh, is this a regression? I thought someone disclosed this in Firefox a few years ago...

    ReplyDelete
    Replies
    1. Michal ZalewskiFebruary 20, 2013 12:51 PM

      Nah, but it's a corner case missed in back in the day.

      Delete
  3. EriclawFebruary 20, 2013 1:09 PM

    MSR's Shuo Chen found this bug in the HTTP/4xx and HTTP/5xx handling of many browsers back in 2008 or so. It was a cross-browser problem in most major browsers.

    http://research.microsoft.com/apps/pubs/default.aspx?id=79323

    ReplyDelete
    Replies
    1. Michal ZalewskiFebruary 20, 2013 1:48 PM

      Yup, I actually covered that research in TTW. 307 has special handling, I suppose.

      Delete
  4. chmeeeFebruary 21, 2013 3:14 AM

    It is funny that, in Google Reader the html is rendered so you see a big "Hi mom!". The script part is missing and also are the xmp tags. In the Atom feed they appear coded as entities.

    ReplyDelete
  5. Tim EhrhartFebruary 21, 2013 1:33 PM

    Another interesting attack a proxy can do with the 407 response code is to silently grab Windows authentication data from clients. http://tehrhart.blogspot.com/2013/02/proxy-credential-theft.html

    ReplyDelete

Subscribe to: Post Comments (Atom)