New IE Bug Hides Real Site Address

Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."

Link to POC test

http://www.zapthedingbat.com/security/ex01/vun1.ht m

A demonstration

[karevoll]

Click here [ZapTheDingBat.com] to see an example of how it is done...

Opera and Mozilla (at least firebird) handles it properly :-)

Not a problem in Opera

[rbb]

Why people keep on using Internet Explorer is a mystery to me, as these problems have been solved ages ago in browsers like for example Opera:

Security warning: you are about to go to an address containing a username:

username: www.paypal.com
server: rc6.org

Are you sure you want to go to this address?

IE Mac is fine

[wolrahnaes]

Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?

Re:IE Mac is fine

[Talthane]

No, the Mac and PC versions of IE have nothing to do with one another beyond a superficial similarity in looks. The Mac version of IE has often been ahead of its bigger brother in terms of standards compliance and suchlike - for example, IE 5.2 does not require the CSS "box model hack" that you have to use to get some sites to render properly in IE 5.5 on Windows. They have a totally different codebase - Microsoft just made use of a name with high brand recognition.

Re:See also

[karevoll]

The %01 part should come _before_ the @... and no, it is not just as simple as this... the url must also be unescaped..

See Here [DevGuru] if you don't know what to 'unescape' means...

(Yes, this means that it will be difficult pulling this one off over i.e IRC, where special characters don't necessarily show up on other peoples terminals)

check here to test your browser

[nikster]

click on the test button on this page.... it's quite scary.

Of course, you have to use Internet Explorer to see it.

Internet Explorer is usually found under C:\Program Files\Internet Explorer ;)

Re:Not patching this month......

[leifm]

I'd recommend Firebird over Mozilla. While I still like Moz a lot I've started using Firebird 98% of the time, it integrates with Windows a bit better, it's faster, and the interface is simplier. And over the last year to year and a half almost every site seems to render correctly with Gecko based browsers, leaving only Windows Update and other ActiveX dependent sites needing IE. IE was a good browser in it's day, but MS has let it stagnate pretty much since 4.0. They're going to have to do more than just add pop-ip blocking for me to use it with any regularity again.

Re:This bodes ill

[Bobulusman]

Actually, although someone will probably prove me wrong, you couldn't do this with a slashdot link. You have to use the unescape command, and I don't see a way to do that with the allowed HTML.

I'm sure it's main 'use' will be HTML e-mails which lead consumers to fake ebay and paypal sites.

Re:Not patching this month......

[jdreed1024]

The problem is that it looks like it affects them all.

If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol

http://www.zdnet.com@slashdot.org

No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:

http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml

will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:

http://www.yahoo.com

Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)

And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.

Re:This bodes ill

[metlin]

You're correct.

I even tried various combinations, including a javascript: in the href tag and it did not work -

<a href="javascript:location.href=unescape('http://ww w.microsoft.com%01@zapthedingbat.com/security/ex01 /vun2.htm')">test</a>

Not as bad as it could be. Atleast not yet.

Re:Not patching this month......

[Anml4ixoye]

Is this going to break anything useful?

Yes, things like FTP logins rely on that. URLs are subsets of URIs which have a lot more useful things.

For example, if you need to go to a FTP site that has a login, you can type in your address bar:

ftp://user:pass@ftp.mysite.com

That will automatically log you in with your user name and password. You could also do just:

user@ftp.mysite.com

And it will prompt you for your password

Firebird fails in the status bar, sort of

[burgburgburg]

Firebird 0.7 DOES show the spoofed address in the status bar, but with an odd character after the URL. However, it shows the real, spoofed URL in the address bar.