Full Disclosure mailing list archives
Re: FFSpy, a firefox malware PoC
From: Shell Code <technobuster () gmail com>
Date: Tue, 26 May 2009 20:38:55 +0530
I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex <saphex () gmail com> wrote:
I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etcIf you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done.
This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ...
From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done.To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts .
How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.?
Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning.
So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FFSpy, a firefox malware PoC saphex (May 19)
- Re: FFSpy, a firefox malware PoC Shell Code (May 25)
- Re: FFSpy, a firefox malware PoC James Matthews (May 26)
- Message not available
- Message not available
- Re: FFSpy, a firefox malware PoC Shell Code (May 26)
- Re: FFSpy, a firefox malware PoC David Blanc (May 26)
- Re: FFSpy, a firefox malware PoC saphex (May 26)
- Re: FFSpy, a firefox malware PoC saphex (May 26)
- Message not available
- Re: FFSpy, a firefox malware PoC Shell Code (May 25)
- <Possible follow-ups>
- Re: FFSpy, a firefox malware PoC FUDder Guy (May 25)
- Message not available
- Re: FFSpy, a firefox malware PoC FUDder Guy (May 25)
- Re: FFSpy, a firefox malware PoC Fosforo (May 25)
- Message not available