Minimo .2 and more Firefox 2.0.0.6 Password Manager Vulnerabilites
Airscanner Mobile Security Advisory #07080102: Minimo <=.2 and Firefox
2.0.0.6 Product:
Minimo <=.2 and Firefox 2.0.0.6
http://airscanner.com/security/07080103_minimo.2.htm
Platform:
Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox
2.0.0.6 Windows XP SP2
Requirements:
Mobile device running Windows Mobile Pocket PC or Firefox 2.0.0.6 on XP
Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
01/10/2007 for Minimo .016 and 07/22/2007 for Minimo .2 (Windows Mobile)
and 08/02/2007 for Firefox 2.0.0.6
Risk Level:
High - Disclosure of sensitive information
Program Summary:
From the website: http://www.mozilla.org/projects/minimo/
Minimo uses Mozilla Technologies to produce a highly usable web browser
for advanced mobile devices. Features include:
* Fast access to your mobile content via Homebase start page
* Best support for modern web standards (Javascript and AJAX).
* Social Bookmarking
* Tab browsing
* RSS Support
* Proven security (TLS, SSL3)
* International support
* Cross platform capability
* Widget and Extension support
Vulnerability Details:
Minimo includes a password manager feature that allows users to store
user/password information of sites they visit. There are two ways this
feature can be abused. First, the action of any form can be changed
dynamically via JavaScript, which could be introduced into a site via a
cross-site scripting (XSS)bug. Second, the form fields can be
automatically filled in without user interaction. As a result, a XSS bug
could allow an attacker to inject an invisible form into a victims
browser that could collect the user/pass without any interaction or
visible indication.
Note: The Password Manager bug is often misunderstood for how it work.
The reason is that there are numerous subtle variations on how the
username and password show up. The following highlights some of these:
1. If there is only one username stored in the password manager for the
specific, it will automatically show up in the username field. If there
is more than one username stored in the Password Manager, a user would
normally type in or select the specific username for the site, which
then allows Minimo/Firefox to fill in the password. As a result, an
attacker would have to know the username to successfully grab the
credentials.
2. If the password field is named 'password' and there is only one
username associated with the site, the Password Manager will
automatically fill in both the user and password. This particular
version was noticed by
http://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml.
Similar Firefox bugs has been known about since mid-2006; however,
https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c44 indicates these
are supposedly resolved.
The details and vulnerable status of Minimo .2 and below is new.
Proof of Concept
The following webpage provides a link to two pages. The login.php page
is just a sample form that you can enter a user/pass into. Enter and
save some sample info and then click on the second poc.htm link. This
will open a page with a script inside that dynamically creates a framed
environment, one of which is essentially hidden (note: using
style:hidden will not work). In the hidden frame, the login.php page is
loaded, the action is changed, and the user/pass are tickled into the
form fields. You should see two popups - one with the changed form
action, and the other with the stored user & pass variables.
http://www.airscanner.com/tests/minimo.htm
Workaround:
Don't use password manager.
Vendor Response:
Awaiting Response.
Copyright (c) 2007 Airscanner Corp.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of Airscanner Corp. If you wish to reprint the whole or
any part of this alert in any other medium other than electronically,
please contact Airscanner Corp. for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use on an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.