Full Disclosure mailing list archives
[Fwd: More on IE URL obfuscation]
From: William Warren <hescominsoon () adelphia net>
Date: Thu, 11 Dec 2003 16:55:19 -0500
-------- Original Message -------- Subject: More on IE URL obfuscation Date: Thu, 11 Dec 2003 13:16:44 -0700 From: xxxxxxxxxxxxxxxxxx(for privacy)Reply-To: Windows NTBugtraq Mailing List <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Earlier this year I commented on a similar issue (Internet Explorer URL Spoofing Threat: http://www.securityfocus.com/archive/1/323436). The issue I had found was essentially the same except that you actually had to type the URL in the address bar for it to work. Because of that, Microsoft considered it a minor threat. The point I tried to make in my advisory is that although the flaw I found had some limitations, there would eventually be a more serious version of the flaw. And in fact that did happen. I did not disclose details in my original advisory because Microsoft decided not to fix the issue at that time (and still they have not fixed it). Since it has been been seven months since my original advisory and there is now a similar issue, I don't feel it would hurt to now disclose those details, which I will do at the end of this e-mail. But first, as Russ pointed out, the ramifications here are much more serious than everyone thinks, considering the ever-growing and serious threats of phishing attacks. Because web server operators can only do so much to prevent phishing attacks (relying heavily on user education), the burden to limit these attacks very much rests upon the web browser. For example, eBay specifically tells users to check the URL in the browser's address bar to be sure they are logging in using an official login page (see http://pages.ebay.com/help/new/account_protection.html). eBay's anti-spoofing strategy completely relies on the assumption that you can trust the URL in the address bar. But you can't trust the address bar. Even SSL has a limited benefit unless users make a habit of double-clicking on the lock icon every time they visit a site to view and verify the certificate details. And even if the browser brings up a message that the certificate is invalid, how many users know what to do next? How many users will just continue anyway? The real issue here isn't the flaw itself, but the fact that the flaw and therefore the exploit can occur in the first place. How many similar flaws remain hidden in Internet Explorer and other web browsers? Will we continue to play this cat-and-mouse game that we have already played so much in recent years? How long before someone (i.e. Microsoft, Netscape, Opera) seriously looks at the problem, then actually moves a few steps ahead of the hackers? Sure, fix the flaw, but take a step back and figure out how it is that these types of attacks can happen. Its time to find or invent the technology to take us to the next level. The attackers will soon be at the next level, will we have to scramble to catch up? As for the flaw I mentioned earlier, here are the details: In short, if you type (don't click on the link) a URL like this in the address bar: http://aa.com?@www.delta.com The address bar will show http://www.delta.com/ but the web page will be that of American Airlines. This is a simple example, but with some clever encoding it can be quite convincing, especially because everything after the ? looks like it should be a query string. Also, making the URL longer than one line will force the user to copy/paste the URL into the browser window so that it will work properly. Mark Burnett On Thu, 11 Dec 2003 13:29:03 -0500, Russ wrote:
Some additional results... ---- From: "Womack, Michael" Date: Thu, 11 Dec 2003 13:22:14 -0500 A side note raised by the Jakob's (Secunia) demo... While Mozilla (1.5) does not exhibit the same truncation in the address bar, the status bar text displayed while hovering over the link on the Secunia test page *is* truncated at the %00. The status text is convincing enough to encourage a click. ---- Date: Thu, 11 Dec 2003 09:45:41 -0800 From: lance_kujala For what its worth... I tried the test out with Mozilla 1.2.1 (from Redhat9); the %01 shows up in the link as an icon, the address bar shows the FULL url, the status bar (with the mouse over the link) only shows the first part of link (everything before the @). At this point I would assume this affects ALL browsers on ALL operating systems, until proven otherwise. ---- Date: Thu, 11 Dec 2003 17:39:20 -0000 From: "Mark Crouch" First post, please be gentle! I've developed a habit of checking URL's on web pages before I click on them - hovering over some just gives a long string of (mostly) meaningless numbers used as part of a redirect. Right- clicking the URL and selecting "Properties" shows the complete URL which you can highlight, copy and then paste into e.g. Notepad or IE's Address bar, for further analysis Doing the same thing on Secunia's exploit test page yields interesting results; the properties of the "rogue URL" shows www.microsoft.com with a small black square next to it and the file type is also a "COM| file" (the '|' denotes the square!). However, if you use the context menu's "Copy Shortcut" option and paste the results into Notepad or the IE Address Bar, you get the full, unadulterated rogue URL - it's a bit of a manual task but the end justifies the means! ---- Date: Thu, 11 Dec 2003 15:32:14 -0200 From: Andreas Saurwein Seems that Mozilla's FireBird (0.6x and 0.7x) is partially vulnerable too. The link in the test shows up in the status bar as http://www.microsoft.com with a non-regular character attached. The address bar shows it correctly with the encoded %01%00. Cheers, Russ - NTBugtraq Editor ---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ---- -- May God Bless you and everything you touch.My "foundation" verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Fwd: More on IE URL obfuscation] William Warren (Dec 11)