Re: state of homograph attacks

[Simon Roberts <thorpflyer () yahoo com>]

FYI, in case anyone hadn't worked it out yet, the
provided demo works against Konqueror 3.2.1 on KDE
3.2.1 on Suse Linux too.

Pasting the given URL into vi doesn't show the
problem, but view page source (which brings up the
page in KWrite) and "od -xc" do expose the attack.

Cheers,
Simon

--- fulldisclosure () cubesearch com wrote:

> The state of homograph attacks
>
> I.    Background
>
> International Domain Name [IDN] support in modern
> browsers allows 
> attackers to spoof domain name URLs + SSL certs.
>
> II.   Description
>
> In December 2001, a paper was released describing
> Homograph attacks [1]. 
> This new attack allows an attacker/phisher to spoof
> the domain/URLs of 
> businesses. At the time this paper was written, no
> browsers had 
> implemented Unicode/UTF8 domain name resolution.
>
> Fast forward to today:  Verisign has championed
> International Domain Names 
> (IDN) [2].  RACES has been replaced with PUNYCODE
> [3].  Every recent 
> gecko/khtml based browser implements IDN (which is
> just about every 
> browser [4] except for IE; plug-in are available
> [5]).
>
> III.  The details
>
> Proof of concept URL:
>
> http://www.shmoo.com/idn/
>
> Clicking on any of the two links in the above
> webpage using anything but 
> IE should result in a spoofed paypal.com webpage.
>
> The links are directed at
> "http://www.p?ypal.com/";, which the 
> browsers punycode handlers render as
> www.xn--pypal-4ve.com.
>
> This is one example URL - - there are now many ways
> to display any domain 
> name on a browser, as there are a huge number of
> codepages/scripts which 
> look very similar to latin charsets.
>
> Phishing attacks are the largest growing class of
> attacks on the internet 
> today.  I find it amusing that one of the large
> early adopters of IDN 
> offer an 'Anti-Phishing Solution' [6].
>
> Finally, as a business trying to protect their
> identity, IDN makes their 
> life very difficult.  It is expected there will be
> many domain name 
> related conflicts related to IDN.
>
> Vulnerable browsers include (but are not limited
> to):
>
> Most mozilla-based browsers (Firefox 1.0, Camino
> .8.5, Mozilla 1.6, etc)
> Safari 1.2.5
> Opera 7.54
> Omniweb 5
>
> Other comment:
>
> There are some inconsistencies with how the browsers
> match the host name 
> with the Common Name (CN) in the SSL cert.  Most
> browsers seem to match 
> the punycode encoded hostname with the CN, yet a few
> (try to) match the 
> raw UTF8 with the CN.  In practice, this makes it
> impossible to provide 
> 'SSL' services effectively, ignoring the fact that
> IE doesn't yet support 
> them.
>
> IV.   Detection
>
> There are a few methods to detect that you are under
> a spoof attack.  One 
> easy method is to cut & paste the url you are
> accessing into notepad or 
> some other tool (under OSX, paste into a terminal
> window) which will allow 
> you to view what character set/pagecode the string
> is in.  You can also 
> view the details of the SSL cert, to see if it's
> using a punycode wrapped 
> version of the domain (starting with the string
> 'xn-'.
>
> V.    Workaround
>
> You can disable IDN support in mozilla products by
> setting 
> 'network.enableIDN' to false.  There is no
> workaround known for Opera or 
> Safari.
>
> VI.   Vendor Responses
>
> Verisign: No response yet.
> Apple:  No response yet.
> Opera:  They believe they have correctly implemented
> IDN, and will not be
> making any changes.
> Mozilla:  Working on finding a good long-term
> solution; provided clear
> workaround for disabling IDN.
>
> VII.  Timeline
>
> 2002 - Original paper published on homograph attacks
> 2002-2005 - Verisign pushes IDN, and browsers start
> adding support for it
> Jan 19, 2005 - Vendors notified of vulnerability
> Feb 6, 2005 - Public disclosure @shmoocon 2005
>
> VIII. Copyright
>
> This paper is copyright 2005, Eric Johanson 
> ericj () shmoo com
>
> Assistance provided by:
> - The Shmoo Group
> - The Ghetto Hackers
>
> Thank you, you know who you are.
>
> References:
>
> [1]
http://www.cs.technion.ac.il/~gabr/papers/homograph.html
> [2]
http://www.verisign.com/products-services/naming-and-directory-services/naming-services/internationalized-domain-names/index.html
> [3] http://mct.verisign-grs.com/index.shtml
> [4]
http://www.verisign.com/products-services/naming-and-directory-services/naming-services/internationalized-domain-names/page_002201.html#01000002
> [5] http://www.idnnow.com/index.jsp
> [6]
http://www.verisign.com/verisign-business-solutions/anti-phishing-solutions/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 
http://info.mail.yahoo.com/mail_250
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html