Minimo .2 and more Firefox 2.0.0.6 Password Manager Vulnerabilites

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Minimo .2 and more Firefox 2.0.0.6 Password Manager Vulnerabilites
From: Seth Fogie <seth@xxxxxxxxxxxxxx>
Date: Thu, 02 Aug 2007 13:52:26 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.12 (Windows/20070509)

Airscanner Mobile Security Advisory #07080102: Minimo <=.2 and Firefox2.0.0.6 Product:

Minimo <=.2 and Firefox 2.0.0.6

http://airscanner.com/security/07080103_minimo.2.htm

Platform:

Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox2.0.0.6 Windows XP SP2


Requirements:
Mobile device running Windows Mobile Pocket PC or Firefox 2.0.0.6 on XP

Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com

01/10/2007 for Minimo .016 and 07/22/2007 for Minimo .2 (Windows Mobile)and 08/02/2007 for Firefox 2.0.0.6


Risk Level:
High - Disclosure of sensitive information

Program Summary:
From the website: http://www.mozilla.org/projects/minimo/

Minimo uses Mozilla Technologies to produce a highly usable web browserfor advanced mobile devices. Features include:

* Fast access to your mobile content via Homebase start page
* Best support for modern web standards (Javascript and AJAX).
* Social Bookmarking
* Tab browsing
* RSS Support
* Proven security (TLS, SSL3)
* International support
* Cross platform capability
* Widget and Extension support

Vulnerability Details:

Minimo includes a password manager feature that allows users to storeuser/password information of sites they visit. There are two ways thisfeature can be abused. First, the action of any form can be changeddynamically via JavaScript, which could be introduced into a site via across-site scripting (XSS)bug. Second, the form fields can beautomatically filled in without user interaction. As a result, a XSS bugcould allow an attacker to inject an invisible form into a victimsbrowser that could collect the user/pass without any interaction orvisible indication.

Note: The Password Manager bug is often misunderstood for how it work.The reason is that there are numerous subtle variations on how theusername and password show up. The following highlights some of these:

1. If there is only one username stored in the password manager for thespecific, it will automatically show up in the username field. If thereis more than one username stored in the Password Manager, a user wouldnormally type in or select the specific username for the site, whichthen allows Minimo/Firefox to fill in the password. As a result, anattacker would have to know the username to successfully grab thecredentials.

2. If the password field is named 'password' and there is only oneusername associated with the site, the Password Manager willautomatically fill in both the user and password. This particularversion was noticed byhttp://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml.

Similar Firefox bugs has been known about since mid-2006; however,https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c44 indicates theseare supposedly resolved.


The details and vulnerable status of Minimo .2 and below is new.

Proof of Concept

The following webpage provides a link to two pages. The login.php pageis just a sample form that you can enter a user/pass into. Enter andsave some sample info and then click on the second poc.htm link. Thiswill open a page with a script inside that dynamically creates a framedenvironment, one of which is essentially hidden (note: usingstyle:hidden will not work). In the hidden frame, the login.php page isloaded, the action is changed, and the user/pass are tickled into theform fields. You should see two popups - one with the changed formaction, and the other with the stored user & pass variables.


http://www.airscanner.com/tests/minimo.htm

Workaround:
Don't use password manager.

Vendor Response:
Awaiting Response.

Copyright (c) 2007 Airscanner Corp.

Permission is granted for the redistribution of this alertelectronically. It may not be edited in any way without the expresswritten consent of Airscanner Corp. If you wish to reprint the whole orany part of this alert in any other medium other than electronically,please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurateat the time of publishing based on currently available information. Useof the information constitutes acceptance for use on an AS IS condition.There are no warranties with regard to this information. Neither theauthor nor the publisher accepts any liability for any direct, indirect,or consequential loss or damage arising from use of, or reliance on,this information.

Prev by Date: RE: Re: Guidance Software response to iSEC report on EnCase
Next by Date: Hunkaray Okul Portali v1.1 (tr) Sql injection Vuln
Previous by thread: rPSA-2007-0153-1 qt-x11-free
Next by thread: Hunkaray Okul Portali v1.1 (tr) Sql injection Vuln
Index(es):
- Date
- Thread