New IE Bug Hides Real Site Address

← Back to Stories (view on slashdot.org)

New IE Bug Hides Real Site Address

Posted by michael on Thursday December 11, 2003 @01:37AM from the can't-blame-the-user-for-this-one dept.

Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."

35 of 683 comments (clear)

Min score:

Reason:

Sort:

Link to POC test by Anonymous Coward · 2003-12-11 01:40 · Score: 5, Informative

http://www.zapthedingbat.com/security/ex01/vun1.ht m
The example misuse by trystanu · 2003-12-11 01:40 · Score: 3, Informative

Is pretty compelling (spoofs Microsoft.com):

http://www.zapthedingbat.com/security/ex01/vun1.ht m
A demonstration by karevoll · 2003-12-11 01:41 · Score: 4, Informative

Click here [ZapTheDingBat.com] to see an example of how it is done...

Opera and Mozilla (at least firebird) handles it properly :-)
Works fine on IE by nberardi · 2003-12-11 01:43 · Score: 2, Informative

No bug in my box from some reason. It works fine on my version IE 6.0 on Windows 2000.
1. Re:Works fine on IE by karevoll · 2003-12-11 01:51 · Score: 3, Informative
  
  What is your version-number? Mine is 6.0.2800.1106, and I can confirm that its working (infortunately)...
  
  Have tried some examples? Such as this one? [zapthedingbat.com]
2. Re:Works fine on IE by br0ck · 2003-12-11 03:00 · Score: 2, Informative
  
  This exploit does NOT rely on Javascript. The zapthedingbat exploit page does indeed rely on script, but just do a slight modification to their script in a local file (remove spaces): <script language="javascript"> document.write(unescape('h ttp://www.microsoft.com%01@zapthedingbat.com/secur ity/ex01/vun2.htm')); </script> will give you a URL that you can put into an unscripted link something like this, but with the %01 encoded and displayed as a box. <a href="http://www.microsoft.com[encoded %01]@zapthedingbat.com/security/ex01/vun2.htm">exp loit</a>
3. Re:Works fine on IE by djmurdoch · 2003-12-11 03:58 · Score: 2, Informative
  
  Please note however that there's a related bug described here that fools the status bar. So even a careful user could be sucked in.
  
  The new version doesn't fool the address bar, but I wouldn't be surprised if there's some combination of characters that does.
Not a problem in Opera by rbb · 2003-12-11 01:46 · Score: 5, Informative

Why people keep on using Internet Explorer is a mystery to me, as these problems have been solved ages ago in browsers like for example Opera:

Security warning: you are about to go to an address containing a username: username: www.paypal.com server: rc6.org Are you sure you want to go to this address?

--
In God We Trust, Others We Monitor
1. Re:Not a problem in Opera by RFC959 · 2003-12-11 02:25 · Score: 3, Informative
  
  The problem is that there are still so many sites that are borken in other browsers. (Well, one of the problems, anyway.) Not necessarily because the other browsers are bad, but because developers assume that everyone is going to have IE, think they should force everyone to use IE, or just don't bother to test at all. Off the top of my head I can think of two sites which are intentionally broken:
  http://www.scps.nyu.edu and
  http://www.expensable.com. (expensable.com, by the way, is an excellent showcase for bad design, but most of it you'd have to log in to see. For example, the main interface is in a popup, and if you have popups blocked, you just can't log in, and it gives you no indication why.) Try going to either of those sites with your User-Agent string set to something unusual. Sure, you and I know how to change that...but for my mom, who can't even figure out how to change her Windows desktop image on her own, that's going to be a deal-breaker.
IE Mac is fine by wolrahnaes · 2003-12-11 01:46 · Score: 5, Informative

Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?

--
I used to get high on life, but I developed a tolerance. Now I need something stronger.
1. Re:IE Mac is fine by Talthane · 2003-12-11 02:08 · Score: 4, Informative
  
  No, the Mac and PC versions of IE have nothing to do with one another beyond a superficial similarity in looks. The Mac version of IE has often been ahead of its bigger brother in terms of standards compliance and suchlike - for example, IE 5.2 does not require the CSS "box model hack" that you have to use to get some sites to render properly in IE 5.5 on Windows. They have a totally different codebase - Microsoft just made use of a name with high brand recognition.
  
  --
  "This is why men never share their feelings; because women always remember." -Just Shoot Me.
2. Re:IE Mac is fine by Deven · 2003-12-11 02:20 · Score: 3, Informative
  
  Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?
  
  You would think so, wouldn't you? No, a separate development team worked on IE for the Mac; the codebases weren't unified at all. From all reports, IE on the Mac was better than IE on Windows in many ways, particularly standards compliance. Go figure!
  
  --
  
  Deven
  "Simple things should be simple, and complex things should be possible." - Alan Kay
Re:See also by karevoll · 2003-12-11 01:48 · Score: 4, Informative

The %01 part should come _before_ the @... and no, it is not just as simple as this... the url must also be unescaped..

See Here [DevGuru] if you don't know what to 'unescape' means...

(Yes, this means that it will be difficult pulling this one off over i.e IRC, where special characters don't necessarily show up on other peoples terminals)
check here to test your browser by nikster · 2003-12-11 01:51 · Score: 5, Informative

click on the test button on this page.... it's quite scary.

Of course, you have to use Internet Explorer to see it.

Internet Explorer is usually found under C:\Program Files\Internet Explorer ;)
Re:Not patching this month...... by leifm · 2003-12-11 01:53 · Score: 4, Informative

I'd recommend Firebird over Mozilla. While I still like Moz a lot I've started using Firebird 98% of the time, it integrates with Windows a bit better, it's faster, and the interface is simplier. And over the last year to year and a half almost every site seems to render correctly with Gecko based browsers, leaving only Windows Update and other ActiveX dependent sites needing IE. IE was a good browser in it's day, but MS has let it stagnate pretty much since 4.0. They're going to have to do more than just add pop-ip blocking for me to use it with any regularity again.

--

"Windows Me offers tremendous reliability and stability improvements..." -- Paul Thurott
Re:This bodes ill by Bobulusman · 2003-12-11 01:59 · Score: 4, Informative

Actually, although someone will probably prove me wrong, you couldn't do this with a slashdot link. You have to use the unescape command, and I don't see a way to do that with the allowed HTML.

I'm sure it's main 'use' will be HTML e-mails which lead consumers to fake ebay and paypal sites.

--
Cogito ergo sum in Slashdot.
Re:Not just an IE bug... by BenjyD · 2003-12-11 01:59 · Score: 2, Informative

No it doesn't. The exploit page linked to in the article displays the full URL with Mozilla 1.5 on my Linux system:

http://www.microsoft.com@zapthedingbat.com/secur it y/ex01/vun2.htm
Still.. by Dwedit · 2003-12-11 02:35 · Score: 2, Informative

Even if it's hidden in the address bar, you can do File > Properties to see the full URL.

And no, this bug won't work on slashdot since slashdot removes the username parts of a URL, and also removes the DOS smileyface character from posts.
Re:Not patching this month...... by jdreed1024 · 2003-12-11 02:37 · Score: 5, Informative

The problem is that it looks like it affects them all.
If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol
http://www.zdnet.com@slashdot.org
No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:
http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml
will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:
http://www.yahoo.com
Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)
And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.

--
There is no sig, there is only Zuul.
Re:That isn't much better though! by bryhhh · 2003-12-11 02:53 · Score: 2, Informative

Actually, I think Finuvir was referring to the general use of '@' in a URL, rather than the use of unescaped %01.

Seems like a damn fine idea to me. If all browsers already had this functionality, It would have prevented this from happening.
Re:This bodes ill by metlin · 2003-12-11 02:54 · Score: 4, Informative

You're correct. I even tried various combinations, including a javascript: in the href tag and it did not work - <a href="javascript:location.href=unescape('http://ww w.microsoft.com%01@zapthedingbat.com/security/ex01 /vun2.htm')">test</a> Not as bad as it could be. Atleast not yet.
Re:Current example. by someguy42 · 2003-12-11 03:23 · Score: 2, Informative

Grr...no link....let's try again.

webpagesthatsuck.com's demo of this exploit

--
The probability that someone is watching you is directly proportional to the stupidity of your actions.
Supply a link, this article says IE only. by blazerw11 · 2003-12-11 03:26 · Score: 3, Informative

This article at securityfocus says IE 6 and possibly earlier versions of IE. No Mozilla, Netscape, Opera, Links, Safari, Konq, Firebird, etc.

--
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
Results of the exploit in different browsers by CowboyMeal · 2003-12-11 03:27 · Score: 3, Informative

The problem is that it looks like it affects them all.

That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.

I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".

Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.

ASCII 0
ASCII 1

(Below are the browsers I just happen to have installed)

IE6 for windows (for sake of having a control):
0 brings you to goatse.cx with http://goatse.cx in the address bar
1 brings you to goatse.cx with http://slashdot.org in the address bar

Opera 7.23 for windows and Opera 7.11 for FreeBSD:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org^@goatse.cx/ in the address bar, where ^ is ASCII 1.
Note: Opera brought up a dialog box warning you that the link was to a site with a username in the URL on the ASCII 1 link.

Mozilla Firebird 0.7 for windows and Mozilla 1.5 for Windows:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org%01@goatse.cx/ in the address bar

So of the browsers tested, the vulnerability only works in IE, and only for ASCII 1.

--
Your credit card information wants to be free.
Doesn't affect my version of Mozilla by sacrilicious · 2003-12-11 03:35 · Score: 3, Informative
Would be nice to have listed which versions were stated to be affected. I have just tested:
- Win IE 6.0
- Mac IE 1.5
- Win Mozilla 1.4.1
- Mac Mozilla 1.4
The only one affected was Win IE.
If any Mozilla versions later than 1.4.1 were to be affected, I'm willing to bet the Mozilla release would be patched within a day, whereas Microsoft would take a minimum of two weeks and a max of maybe never.
--
- First they ignore you, then they laugh at you, then ???, then profit.
Re:Not patching this month...... by Anml4ixoye · 2003-12-11 03:39 · Score: 4, Informative

Is this going to break anything useful?

Yes, things like FTP logins rely on that. URLs are subsets of URIs which have a lot more useful things.

For example, if you need to go to a FTP site that has a login, you can type in your address bar:

ftp://user:pass@ftp.mysite.com

That will automatically log you in with your user name and password. You could also do just:

user@ftp.mysite.com

And it will prompt you for your password

--
Random Musings
Re:Not patching this month...... by le_jfs · 2003-12-11 03:46 · Score: 2, Informative

Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)

First step to be the 'most clueful geek':

Don't use IE.

--
main(char O){O++&&(((O-291)*O+27788)*O-868020?1:putchar(O++) )&&main(O);}
Re:Cert? by Derek+Pomery · 2003-12-11 04:01 · Score: 2, Informative

Like it would be so hard for a group with dubious credentials to acquire a cert. Browsers don't prompt usually so long as the cert is up to date, and from an official cert authority.
Who's going to inspect and notice it wasn't issued to the right corporation?
Well, hopefully any paranoid IE user, for now.

--
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
Firebird fails in the status bar, sort of by burgburgburg · 2003-12-11 04:13 · Score: 4, Informative

Firebird 0.7 DOES show the spoofed address in the status bar, but with an odd character after the URL. However, it shows the real, spoofed URL in the address bar.
1. Re:Firebird fails in the status bar, sort of by steve-qc · 2003-12-11 05:40 · Score: 2, Informative
  
  Spoofing the status bar is no big deal. Javascript has always allowed this.
  
  It quite common for webmasters to use the trick with external links that get redirected from a "click-through counter" page before sending you off to the actualy URL.
Re:Why is there an @ at all? by HeghmoH · 2003-12-11 04:19 · Score: 3, Informative

It's covered in RFC 1738. Look for section 3.1 Common Internet Scheme Syntax.

Basically, it allows you to specify a username and possibly a password as part of a URL. http://w:x@y.com says to connect to y.com with username w, password x. The URL http://w@x.com means to connect to x.com with username w. This is not in particularly common use for HTTP, but it can be useful for sites that use HTTP authentication.

Web servers ignore the username and password if you connect to a page that doesn't require authentication, so for most sites, everything before the @ is simply ignored.

So this really is part of a standard, and it exists for a good reason. It's not a redirection at all, but simply a part of the URL standard that isn't used often enough for people to know what it means. The whole spoofing this is a completely unintended consequence of that.

--
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Re:Not patching this month...... by Anonymous Coward · 2003-12-11 04:24 · Score: 3, Informative

These are 2 distinct and different bugs.

"%00" will hide the link in the tooltip and the status bar on both Mozilla and IE. Although Mozilla will correctly display the entire link in the link properties where IE only displays up to the "%00" here also.

"%01" will not hide the link in the tooltip or the status bar in either Mozilla or IE, but it will make the location bar only show up to the "%01" in IE after you click on the link.
Re:This bodes ill by glpierce · 2003-12-11 05:04 · Score: 2, Informative

Someone using a workstation at an office or computer lab doesn't usually have control over which applications they can use. Not only are installations, etc. restricted, but even if they weren't, it wouldn't be very intelligent to install new software every single time you want to spend 2 minutes on the web, considering the difference isn't huge over small periods of time (tabbed browsing is great, but you can surf the web without it).

--
G
Re:The patch they should issue! by Ubergrendle · 2003-12-11 06:06 · Score: 2, Informative

I work for a bank in their internet division. We list 'supported' browsers, but don't make any recommendations. Why? Because we don't want our telephone representatives providing tech support for our 5 million customers. We tried recommending Netscape about 4 or 5 years ago... "NEVER AGAIN" is our mantra.

Yes, it sucks. But we're a business and we can't lead technology change. Just be thankful we don't use .asp, Active X, or flash on our site. :)

--
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
The one piece of good news in this is . . . by InfoSec · 2003-12-11 06:45 · Score: 2, Informative

That it doesn't fool the security zones in IE. If you have a site in your "Trusted Sites" zone, and you try to spoof that site using the mentioned vulnerability, the Address Bar shows false, but the Zone is not fooled. Thank heavens for small miracles.

--

Wherever you go, there I am...