iPhone Key:
18 84 58 A6 D1 50 34 DF E3 86 F2 3B 61 D4 37 74
HD-DVD Processing Key:
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
New AACS Processing Key:
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Any More?
Mozilla marked Bug ID 413250 as ‘RESOLVED FIXED’ on Tuesday. I got a chance to check out the fix today, and found that the fix is inadequate in stopping the attack. Here’s another demo that reads your session store, and like before, uses the Download Statusbar extension.
If you haven’t played with NotchUp.com yet, you should take a look. It seems like a very promising site. I mean come on, who wouldn’t want to get paid to interview for a job? If you think it’s all small companies for small money, it’s not. Facebook and Google are both very active, making offers between $500 and $2,500! No, they didn’t offer me $2,500, but they have to other people.
Check out these links:
http://notchup.com/?q=inbox/offers/view/36
http://notchup.com/?q=inbox/offers/view/37
http://notchup.com/?q=inbox/messages/select/145
NotchUp requires you to sign up and log in. e-Mail me if you need an invite.
For those who didn’t notice, you shouldn’t be able to read those. The folks over at NotchUp must have missed the security section of whatever book they read. They did however make it really easy to write a NotchUp worm. They even created a special field to store and execute your JavaScript in that they called ‘Profile’.
Sorry Sammy, I would rather have 1 million $500 offers than 1 million friends. ;)
I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.
To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).
This looks very interesting and may have bigger potential, but for now, its just another information disclosure.
UPDATE:
There seems to be some confusion about what exactly the severity of this vulnerability is. First, this is not a chrome privilege escalation but it worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session (windows, tabs, cookies, etc).
The demo’s use Download Statusbar but any ‘flat’ extension (not contained in a JAR file) will work (including greasemonkey). If you want to track this bug, the mozilla bug id is 413250 .
If you are using Firefox you need to have NoScript, it has stopped this type of attack since August 2007!
UPDATE 2:
Mozilla has marked this as a high severity bug and released a partial list of affected plugins here: https://bugzilla.mozilla.org/attachment.cgi?id=300181
This was released on Dec. 25th, and I am just getting around to posting it… such a slacker, anyway: http://www.ollydbg.de/version2.html
