Full Disclosure mailing list archives

IE 0x01 Byte URL Spoofing Vulnerability[Scriptless PoC Exploit & Additional Details]

From: S G Masood <sgmasood () yahoo com>
Date: Fri, 12 Dec 2003 13:30:02 -0800 (PST)

 
 

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Hello all,

There is a big misconception about the recent 0x01 URL Spoofing vuln. in several peoples' mind that scripting is
necessary for exploitation. However, this is not the case. Instead of using the %01 sequence and unescaping it[1] like
in all the exploits posted till now, an hex editor can be used to directly embed the 0x01 byte in the URL. I have
attached a proof of concept exploit to demonstrate this issue.

[1] unescape('http://www.a.com%01 () b com/spoof.htm');

Although, the actual vulnerability is very simple, there has been a lot of confusion with people misunderstanding its
nature, scope and exploitation inspite of the presence of a number of proof of concept exploits. Apart from this, many
other ideas and exploits have been presented by several people for both mitigation and better exploitation. A few facts
about this vulnerability are presented below. I hope this clears some of the confusion.

1. This is only possible with the 0x01 byte.
2. SCRIPTING is NOT NECESSARY to exploit this vulnerability. A hex editor can be used to embed the 0x01 byte. See the
attached exploit.
3. This is not the same as the infamous "http://a@b URL Obfuscation" technique that is mostly used by spammers.
4. If the %01 sequence is used, it is necessary to unescape() it.
5. IMO, this issue is not caused by an anomaly in IE's handling of non-printable characters.
6. According to current information in the public domain, no other browser except IE and dependant SW like Outlook is
vulnerable to this issue. So this is a Microsoft specific issue.
7. Other techniques like adding a null byte, using onmouseover or onclick, using %09, etc are used to obfuscate the
malicious link in the status bar when the mouse is hovered over the link. These are not part of the 0x01 URL Spoofing
vulnerability and completely unrelated.
8. It is not necessary to tie the malicious URL to a button.
9. This vulnerability is really critical. Reasons have been discussed in great detail on the lists. Think about the
ease of exploitation, no scripting required, etc...

Regards,

--
S.G.Masood

Hyderabad,
India.

Attachment: PoC.zip
Description: PoC.zip

Current thread:

IE 0x01 Byte URL Spoofing Vulnerability[Scriptless PoC Exploit & Additional Details] S G Masood (Dec 12)
- Re: IE 0x01 Byte URL Spoofing Vulnerability[Scriptless PoC Exploit & Additional Details] Piotr Bulczak (Dec 13)