[Fwd: More on IE URL obfuscation]

[William Warren <hescominsoon () adelphia net>]

-------- Original Message --------
Subject:        More on IE URL obfuscation
Date:   Thu, 11 Dec 2003 13:16:44 -0700
From:   xxxxxxxxxxxxxxxxxx(for privacy)
Reply-To: 	Windows NTBugtraq Mailing List 
<NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>
To:     NTBUGTRAQ () LISTSERV NTBUGTRAQ COM



Earlier this year I commented on a similar issue (Internet Explorer
URL Spoofing Threat: http://www.securityfocus.com/archive/1/323436).
The issue I had found was essentially the same except that you
actually had to type the URL in the address bar for it to work.
Because of that, Microsoft considered it a minor threat. The point I
tried to make in my advisory is that although the flaw I found had
some limitations, there would eventually be a more serious version of
the flaw. And in fact that did happen.

I did not disclose details in my original advisory because Microsoft
decided not to fix the issue at that time (and still they have not
fixed it). Since it has been been seven months since my original
advisory and there is now a similar issue, I don't feel it would hurt
to now disclose those details, which I will do at the end of this
e-mail.

But first, as Russ pointed out, the ramifications here are much more
serious than everyone thinks, considering the ever-growing and serious
threats of phishing attacks. Because web server operators can only do
so much to prevent phishing attacks (relying heavily on user
education), the burden to limit these attacks very much rests upon the
web browser. For example, eBay specifically tells users to check the
URL in the browser's address bar to be sure they are logging in using
an official login page (see
http://pages.ebay.com/help/new/account_protection.html).
eBay's anti-spoofing strategy completely relies on the assumption
that you can trust the URL in the address bar.

But you can't trust the address bar.

Even SSL has a limited benefit unless users make a habit of
double-clicking on the lock icon every time they visit a site to view
and verify the certificate details. And even if the browser brings up
a message that the certificate is invalid, how many users know what to
do next? How many users will just continue anyway?

The real issue here isn't the flaw itself, but the fact that the flaw
and therefore the exploit can occur in the first place. How many
similar flaws remain hidden in Internet Explorer and other web
browsers? Will we continue to play this cat-and-mouse game that we
have already played so much in recent years? How long before someone
(i.e. Microsoft, Netscape, Opera) seriously looks at the problem, then
actually moves a few steps ahead of the hackers?

Sure, fix the flaw, but take a step back and figure out how it is that
these types of attacks can happen. Its time to find or invent the
technology to take us to the next level. The attackers will soon be at
the next level, will we have to scramble to catch up?

As for the flaw I mentioned earlier, here are the details:

In short, if you type (don't click on the link) a URL like this in the
address bar:
http://aa.com?@www.delta.com

The address bar will show http://www.delta.com/ but the web page will
be that of American Airlines. This is a simple example, but with some
clever encoding it can be quite convincing, especially because
everything after the ? looks like it should be a query string. Also,
making the URL longer than one line will force the user to copy/paste
the URL into the browser window so that it will work properly.


Mark Burnett






On Thu, 11 Dec 2003 13:29:03 -0500, Russ wrote:
> Some additional results...
>
>
> ----
> From: "Womack, Michael"
> Date: Thu, 11 Dec 2003 13:22:14 -0500
>
>
> A side note raised by the Jakob's (Secunia) demo...
>
>
> While Mozilla (1.5) does not exhibit the same truncation in the
> address bar, the status bar text displayed while hovering over the
> link on the Secunia test page *is* truncated at the %00.  The
> status text is convincing enough to encourage a click.
> ----
>
>
> Date: Thu, 11 Dec 2003 09:45:41 -0800
> From: lance_kujala
>
>
> For what its worth...
>
>
> I tried the test out with Mozilla 1.2.1 (from Redhat9); the %01
> shows up in the link as an icon, the address bar shows the FULL
> url, the status bar (with the mouse over the link) only shows the
> first part of link (everything before the @).
>
>
> At this point I would assume this affects ALL browsers on ALL
> operating systems, until proven otherwise.
> ----
>
>
> Date:  Thu, 11 Dec 2003 17:39:20 -0000
> From: "Mark Crouch"
>
>
> First post, please be gentle!
>
>
> I've developed a habit of checking URL's on web pages before I
> click on them - hovering over some just gives a long string of
> (mostly) meaningless numbers used as part of a redirect.  Right-
> clicking the URL and selecting "Properties" shows the complete URL
> which you can highlight, copy and then paste into e.g. Notepad or
> IE's Address bar, for further analysis
>
>
> Doing the same thing on Secunia's exploit test page yields
> interesting results; the properties of the "rogue URL" shows
> www.microsoft.com with a small black square next to it and the file
> type is also a "COM| file" (the '|' denotes the square!).  However,
> if you use the context menu's "Copy Shortcut" option and paste the
> results into Notepad or the IE Address Bar, you get the full,
> unadulterated rogue URL - it's a bit of a manual task but the end
> justifies the means!
> ----
>
>
> Date: Thu, 11 Dec 2003 15:32:14 -0200
> From: Andreas Saurwein
>
>
> Seems that Mozilla's FireBird (0.6x and 0.7x) is partially
> vulnerable too. The link in the test shows up in the status bar as
> http://www.microsoft.com with a non-regular character attached. The
> address bar shows it correctly with the encoded %01%00.
>
>
> Cheers,
> Russ - NTBugtraq Editor
>
>
> ----
> NTBugtraq subscribers save $103.00 off the TICSA exam by using
> promo code "NT1003" when registering to take the TICSA exam at
> www.2test.com. Prove to your employer and peers that you have the
> knowledge and abilities to be an active stakeholder in today's
> enterprise security. Become TICSA certified
> www.trusecure.com/ticsa.  Promotion expires 12/31/03 and cannot be
> used in combination with other offers.
>
> ----

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.

----



--
May God Bless you and everything you touch.

My "foundation" verse: 
Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html