Log in

No account? Create an account

Previous Entry | Next Entry


I just found out about this.  Sorry, folks, but as much as I love Open Source, Mozilla is blowing it big time, and I have to speak.

There is a security exploit in ALL Mozilla based browsers.  Firefox, Sea Monkey, Mozilla, all of them.  No patch exists for it, even though it has already been used to take down IRC channels.  For you Linux users, it is easy to fix.  Other browsers like Konqueror, Safari, Opera, and (yes) Internet Exploder aren't affected.

It is called the Firefox XPS IRC Attack.  It has been exploited by a trolling group from Slashdot calling itself the GNAA (Gay Nigger Association of America) to crash Freenode for over a month.  It is a simple port exploit.  Mozilla closed most of the ones that could cause the most mischief, except for one -- 6667, the default port for IRC servers.  A simple Java script (read that:  cross-platform, no OS is safe) embedded in a web link fills out a HTTP form and sends it as a POST to port 6667 and floods it with a bunch of IRC commands.  This can be used against anything, given how many protocols don't bother with cookied handshakes to connect.  This is intended to make web browsers work seamlessly with other Internet applications.  But it had never been tried in the wild before.  In other words, it's a whole new world to conquer, and this was just the first strike.

But fret not, my faithful Linux brethren.  Blocking this attack from hitting you AND any servers you are running is simplicity itself.  Use iptables u32 to ignore the TCP and IP headers of the packet, and match the first 4 bytes of the packet against "POST".  This is the command that does it:

-m u32 --u32 0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x504f5354 -m recent --set --name lastmeasure --rsource -j DROP

That's it. Literally. At least three IRC servers who got hit dropped this command into their iptables configuration and the attacks stopped instantly.  Efnet figured this out in about an hour.  Buttesnet, which has approximately one network admin, figured it out in four hours.  OFTC figured it out -- took them about a day, but they did.  They just used tcpdump and blocked it from the IP tables.  Freenode couldn't do this -- they instead upgraded the servers, and promptly got nailed again as soon as they came up.

Oh, for good measure, make a rule that will make any subsequent traffic refresh the drop entry.  Like so:

-m recent --update --seconds 86400 --name lastmeasure --rsource -j DROP

With that out of the way -- MOZILLA?!?  What the fuck is your problem?!?  You are the darlings of Open Source thanks to Firefox!  You are giving us a bad name!  I use Firefox and have yet to see an update for this!

Open source is about finding problems and fixing them.  You have ignored this at your own risk.  Things will only get worse if you don't figure out what to do now.  Lots of your users don't know about IP tables and that.  They rely on dedicated coders and engineers to protect them.  You are letting them down.  You are acting as bad as M$ does.  Get this fixed.

Latest Month

June 2019


Powered by LiveJournal.com