From owner-freebsd-questions@FreeBSD.ORG Mon Jul 9 22:24:35 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B254106566B for ; Mon, 9 Jul 2012 22:24:35 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 14E688FC12 for ; Mon, 9 Jul 2012 22:24:34 +0000 (UTC) Received: from park.js.berklix.net (p5DCBE3A1.dip.t-dialin.net [93.203.227.161]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id q69MORDR090980; Mon, 9 Jul 2012 22:24:28 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.14.3/8.14.3) with ESMTP id q69MPLN9029328; Tue, 10 Jul 2012 00:25:21 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id q69MPBDu047281; Tue, 10 Jul 2012 00:25:16 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201207092225.q69MPBDu047281@fire.js.berklix.net> To: Carsten Mattner From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Fri, 06 Jul 2012 14:47:43 +0200." Date: Tue, 10 Jul 2012 00:25:10 +0200 Sender: jhs@berklix.com Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD vs Hurd what is the differences? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2012 22:24:35 -0000 Hi, Carsten Mattner wrote: > On Fri, Jul 6, 2012 at 2:42 AM, Julian H. Stacey wrote: > > Hi, > > Reference: > >> From: Carsten Mattner > >> Date: Fri, 6 Jul 2012 00:28:32 +0200 > >> Message-id: > > > > Carsten Mattner wrote: > >> On Thu, Jul 5, 2012 at 4:39 PM, Wojciech Puchar > >> wrote: > >> >>> As for reading anything else than internal firefox data it is not > >> >>> possible > >> >>> except very basic bug is there. > >> >> > >> >> > >> >> Yes otherwise all the flash sites would have gathered files from local > >> >> disks. > >> > > >> > > >> > true. javascript activity is sandboxed. But within that sandbox there are > >> > million bugs. > >> > > >> > i've already seen trojans that completely took control over firefox. > >> > But - in spite it was windoze - ONLY firefox. Everything else was fine. > >> > > >> > Deleting firefox user data removed the trojan. > >> > >> Nothing is impossible at that complexity. > >> > >> I'd still like to know what Julian saw as you didn't see that. > >> Did it really contain a script which made it fetch random files from the > >> local disk? > > > > I don't know. > > I wrote how I obtained the data patern I saw, in my: > > Fair enough :). > > >> Message-id: <201207050936.q659aWCI016222@fire.js.berklix.net> > >> Date: Thu, 05 Jul 2012 11:36:32 +0200 > > > > Others very welcome to try it. > > Of course. > > >> Julian? > > > >> Which Firefox version? > > > > Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 > > I don't want to be that guy whos says it but that version is old and > may contain widely known holes. Good point. ( Till now I I just built ports in current when odd ports from RELEASE broke, That's too simplistic, Thanks.) > >> I am a little concerned. > > > > Me too ! > > Not had tme to pursued it though. > > & I dont feel like exporting that data public > > in case its already gone too far. > > You don't have to export it at all. > Can you confirm the data within is the same as say the same > file in /etc or ~/.ssh? If that's really the case, it's a problem. No I happily can not confirm that, despite a quick-ish look. ( I wouldn't particularly xpect it, if a trojan took control, it would be pretty easy to store data [hidden or scrambled] in different format.) The string I saw was in file jquery.js: /^(?:color|date|datetime|datetime-local|email|hidden|month|number|password|range|search|tel|text|time|url|week)$/i,bJ=/^(?:about|app|app\-storage Some machines have more valuable data in user files, than /etc/ passwords. If 'only' /etc/*passwd got harvested, but data beyond did not yet get harvested, waiting for a 2nd pass with trojan, damage would be less. > > I suggest others create a dummy guest account & then accesss URL & do > > page save as I wrote. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, & indent with "> ". Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/