Slashdot Mirror
New IE Bug Hides Real Site Address
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
http://www.zapthedingbat.com/security/ex01/vun1.ht m
Is pretty compelling (spoofs Microsoft.com):
t m
http://www.zapthedingbat.com/security/ex01/vun1.h
Click here [ZapTheDingBat.com] to see an example of how it is done...
Opera and Mozilla (at least firebird) handles it properly :-)
No bug in my box from some reason. It works fine on my version IE 6.0 on Windows 2000.
In God We Trust, Others We Monitor
Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?
I used to get high on life, but I developed a tolerance. Now I need something stronger.
The %01 part should come _before_ the @... and no, it is not just as simple as this... the url must also be unescaped..
See Here [DevGuru] if you don't know what to 'unescape' means...
(Yes, this means that it will be difficult pulling this one off over i.e IRC, where special characters don't necessarily show up on other peoples terminals)
click on the test button on this page.... it's quite scary.
;)
Of course, you have to use Internet Explorer to see it.
Internet Explorer is usually found under C:\Program Files\Internet Explorer
I'd recommend Firebird over Mozilla. While I still like Moz a lot I've started using Firebird 98% of the time, it integrates with Windows a bit better, it's faster, and the interface is simplier. And over the last year to year and a half almost every site seems to render correctly with Gecko based browsers, leaving only Windows Update and other ActiveX dependent sites needing IE. IE was a good browser in it's day, but MS has let it stagnate pretty much since 4.0. They're going to have to do more than just add pop-ip blocking for me to use it with any regularity again.
"Windows Me offers tremendous reliability and stability improvements..." -- Paul Thurott
Actually, although someone will probably prove me wrong, you couldn't do this with a slashdot link. You have to use the unescape command, and I don't see a way to do that with the allowed HTML.
I'm sure it's main 'use' will be HTML e-mails which lead consumers to fake ebay and paypal sites.
Cogito ergo sum in Slashdot.
No it doesn't. The exploit page linked to in the article displays the full URL with Mozilla 1.5 on my Linux system:
r it y/ex01/vun2.htm
http://www.microsoft.com@zapthedingbat.com/secu
This is maybe happening to me. This week, after visiting some adult sites, I noticed that the sponsored links section in google now took up an entire page. There was also a pop-up. ...
<P>
I figured that if google was doing crap like that, there would have been something in the news. I ran my virus checker and my spyware cleaners, found a few things, removed them, and then went back to google. The same thing was happening.
<P>
It is a clever trick. The page looks exactly like google and, when you choose the other search pages (2 and above) searches work. However, the selection for 1 no longer links to anything. When you go to other googles overseas or use the direct IP address, google works correctly. On other PC's on my network, google works correctly.
<P>
The bogus sponsored links are either to 216.221.138.95 or to something called searchassistant.net. The pop-up that comes up is linked to epsilon.searchassistant.net. Linking to searchassistant.net brings up a page claiming to be under construction and offering a link to uninstall searchassistant spyware. I haven't tried that because I have work stuff to do on this PC and don't have time to reintall Windows or something if that blasts me with more crud.
<P>
I dug around through the registry and the C drive and found several odd keys and files referring to google and searchassistant. I removed all I could find without any effect. I'm not an expert so I must have missed stuff. There is also a strange application that keeps appearing on my C drive called msdos.exe. It is not DOS and always restores when I remove it.
<P>
These people are scum and should be abused and sanctioned. It is one thing to hit people with popups and another to present fake web-sites. Also, I never allowed anything to download and I know I didn't make a mistake. I'm not THAT much of a newbie. These people are basically virus writers. Also, if you are adult site surfing, never ever go to p***y.com. This is the site that infected my PC with this searchassistant crap.
<P>
As I said, I'm not an expert, basically a normal user with enough know-how to be dangerous. If anything I wrote is obvious or stupid, then I apologize
Even if it's hidden in the address bar, you can do File > Properties to see the full URL.
And no, this bug won't work on slashdot since slashdot removes the username parts of a URL, and also removes the DOS smileyface character from posts.
If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol
http://www.zdnet.com@slashdot.org
No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:
http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml
will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:
http://www.yahoo.com
Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)
And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.
There is no sig, there is only Zuul.
Actually, I think Finuvir was referring to the general use of '@' in a URL, rather than the use of unescaped %01.
Seems like a damn fine idea to me. If all browsers already had this functionality, It would have prevented this from happening.
You're correct.
w w.microsoft.com%01@zapthedingbat.com/security/ex01 /vun2.htm')">test</a>
I even tried various combinations, including a javascript: in the href tag and it did not work -
<a href="javascript:location.href=unescape('http://w
Not as bad as it could be. Atleast not yet.
Grr...no link....let's try again.
webpagesthatsuck.com's demo of this exploit
The probability that someone is watching you is directly proportional to the stupidity of your actions.
This article at securityfocus says IE 6 and possibly earlier versions of IE. No Mozilla, Netscape, Opera, Links, Safari, Konq, Firebird, etc.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
The problem is that it looks like it affects them all.
That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.
I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".
Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.
ASCII 0
ASCII 1
(Below are the browsers I just happen to have installed)
IE6 for windows (for sake of having a control):
0 brings you to goatse.cx with http://goatse.cx in the address bar
1 brings you to goatse.cx with http://slashdot.org in the address bar
Opera 7.23 for windows and Opera 7.11 for FreeBSD:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org^@goatse.cx/ in the address bar, where ^ is ASCII 1.
Note: Opera brought up a dialog box warning you that the link was to a site with a username in the URL on the ASCII 1 link.
Mozilla Firebird 0.7 for windows and Mozilla 1.5 for Windows:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org%01@goatse.cx/ in the address bar
So of the browsers tested, the vulnerability only works in IE, and only for ASCII 1.
Your credit card information wants to be free.
- Win IE 6.0
- Mac IE 1.5
- Win Mozilla 1.4.1
- Mac Mozilla 1.4
The only one affected was Win IE.If any Mozilla versions later than 1.4.1 were to be affected, I'm willing to bet the Mozilla release would be patched within a day, whereas Microsoft would take a minimum of two weeks and a max of maybe never.
- First they ignore you, then they laugh at you, then ???, then profit.
Yes, things like FTP logins rely on that. URLs are subsets of URIs which have a lot more useful things.
For example, if you need to go to a FTP site that has a login, you can type in your address bar:
ftp://user:pass@ftp.mysite.com
That will automatically log you in with your user name and password. You could also do just:
user@ftp.mysite.com
And it will prompt you for your password
Random Musings
I don't have Mozilla 1.5 on my machine here, but 1.3 is vulnerable to a "%00" before the "@" also. However, Mozilla is not -as- vulnerable as IE.
IE displays href="http://www.yahoo.com%00@www.hotmail.com" as www.yahoo.com when it is actually a link to www.hotmail.com in the status bar at the bottom of the browser and it also shows that link as one to "http://www.yahoo.com" when you view the properties of the link. Unfortunately I can't demonstrate this in this post as I intended as Slashdot reoves everything before the www.hotmail.com.
Mozilla 1.3 also shows the link as being to www.yahoo.com although it is actually to www.hotmail.com, although Mozilla 1.3 DOES correctly show the link properties as "http://www.yahoo.com%00@www.hotmail.com".
Consequently, Mozilla also needs to fix their browser, although only in one of the two ways that IE needs to fix their browser.
Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)
First step to be the 'most clueful geek':
Don't use IE.
main(char O){O++&&(((O-291)*O+27788)*O-868020?1:putchar(O++
Like it would be so hard for a group with dubious credentials to acquire a cert. Browsers don't prompt usually so long as the cert is up to date, and from an official cert authority.
Who's going to inspect and notice it wasn't issued to the right corporation?
Well, hopefully any paranoid IE user, for now.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
Of note, you will get a security warning above because "paypal.com" does not match "my name is green"
az@blizzle
Firebird 0.7 DOES show the spoofed address in the status bar, but with an odd character after the URL. However, it shows the real, spoofed URL in the address bar.
It's covered in RFC 1738. Look for section 3.1 Common Internet Scheme Syntax.
Basically, it allows you to specify a username and possibly a password as part of a URL. http://w:x@y.com says to connect to y.com with username w, password x. The URL http://w@x.com means to connect to x.com with username w. This is not in particularly common use for HTTP, but it can be useful for sites that use HTTP authentication.
Web servers ignore the username and password if you connect to a page that doesn't require authentication, so for most sites, everything before the @ is simply ignored.
So this really is part of a standard, and it exists for a good reason. It's not a redirection at all, but simply a part of the URL standard that isn't used often enough for people to know what it means. The whole spoofing this is a completely unintended consequence of that.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
These are 2 distinct and different bugs.
"%00" will hide the link in the tooltip and the status bar on both Mozilla and IE. Although Mozilla will correctly display the entire link in the link properties where IE only displays up to the "%00" here also.
"%01" will not hide the link in the tooltip or the status bar in either Mozilla or IE, but it will make the location bar only show up to the "%01" in IE after you click on the link.
Someone using a workstation at an office or computer lab doesn't usually have control over which applications they can use. Not only are installations, etc. restricted, but even if they weren't, it wouldn't be very intelligent to install new software every single time you want to spend 2 minutes on the web, considering the difference isn't huge over small periods of time (tabbed browsing is great, but you can surf the web without it).
G
I work for a bank in their internet division. We list 'supported' browsers, but don't make any recommendations. Why? Because we don't want our telephone representatives providing tech support for our 5 million customers. We tried recommending Netscape about 4 or 5 years ago... "NEVER AGAIN" is our mantra.
.asp, Active X, or flash on our site. :)
Yes, it sucks. But we're a business and we can't lead technology change. Just be thankful we don't use
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
That it doesn't fool the security zones in IE. If you have a site in your "Trusted Sites" zone, and you try to spoof that site using the mentioned vulnerability, the Address Bar shows false, but the Zone is not fooled. Thank heavens for small miracles.
Wherever you go, there I am...
> I've been recommending to all my friends and family to start using Mozilla
e t_explorer_address_bar_spoofing_test/)r > and that's it.
Actually, I have just tested this on Mozilla Firebird 0.7. Partialy it is also vulnerable. Once you click on the link you will see complete fake URL (in case of their test http://www.microsoft.com%01%00@secunia.com/intern
but in the status bar I only could see http://www.microsoft.com<some_unreadable_characte