TITLE:
Internet Explorer URL Spoofing Vulnerability

SECUNIA ADVISORY ID:
SA10395

VERIFY ADVISORY:
http://www.secunia.com/advisories/10395/

CRITICAL:
Moderately critical

IMPACT:
ID Spoofing

WHERE:
From remote

SOFTWARE:
Microsoft Internet Explorer 6

DESCRIPTION:
A vulnerability has been identified in Internet Explorer, which can
be exploited by malicious people to display a fake URL in the address
bar.

The vulnerability is caused due to an input validation error, which
can be exploited by including the "%01" URL encoded representation
after the username and right before the "@" character in an URL.

Successful exploitation allows a malicious person to display an
arbitrary FQDN (Fully Qualified Domain Name) in the address bar,
which is different from the actual location of the page.

This can be exploited to trick users into divulging sensitive
information or download and execute malware on their systems, because
they trust the faked domain in the address bar.

Example displaying only "http://www.trusted_site.com" in the address
bar when the real domain is "malicious_site.com":
http://www.trusted_site.com%01@malicious_s.../malicious.html (http://www.trusted_site.com%01@malicious_site.com/malicious.html)

The vulnerability has been confirmed in version 6.0. However, prior
versions may also be affected.

SOLUTION:
Filter malicious characters and character sequences in a proxy server
or firewall with URL filtering capabilities.

Don't follow links from untrusted sources.

REPORTED BY / CREDITS:
Zap The Dingbat

thanks for the "heads up" LeRoi..

I just upgraded to IE6 (FROM IE 5.5)..

As I still do not know an awful lot about computers, I have what might be considered an uninformed type question;

I have Spybot and AdAware - if I run these, will I be all right?

>>I have Spybot and AdAware - if I run these, will I be all right?<<

Not to speak for LeRoi, but no -- AdAware and Spybot will not address this kind of ID spoofing. You will have to wait for a patch from Microsoft, or, as Le Roi's link suggests, use a firewall which is capable of filtering the specific characters in the falsified URL ("the "%01" URL encoded representation after the username and right before the "@" character in an URL" as in the example "http://www.trusted_site.com%01@malicious_site.com/malicious.html"), which as far as I know would not include any applications-based firewall like Zone Alarm -- or by using a browser which is not subject (as far as is known) to this ID spoofing behavior like Mozilla, or Mozilla Firebird, or K-Meleon, or Opera.

alan

what about MyIE2? any ideas? i use that one and i love it. but i don't really know much about its security.

Originally posted by travislopez@Dec 11 2003, 02:49 PM
what about MyIE2? any ideas? i use that one and i love it. but i don't really know much about its security.
My IE2 has the same security vunerabilities as IE as it uses the same engine and files, that is why if you have problems with IE then your other front end browsers based on it will likely stop working properly too. I can highly recommend Firebird, would not dream of using anything else now, after being a slave to IE for too long. :thLt:

Amie :amie:

fine. i will try this so-called bird of fire. ;)

Originally posted by Amie+Dec 11 2003, 08:16 AM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Amie @ Dec 11 2003, 08:16 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-travislopez@Dec 11 2003, 02:49 PM
what about MyIE2?&nbsp; any ideas?&nbsp; i use that one and i love it.&nbsp; but i don't really know much about its security.
My IE2 has the same security vunerabilities as IE as it uses the same engine and files, that is why if you have problems with IE then your other front end browsers based on it will likely stop working properly too. I can highly recommend Firebird, would not dream of using anything else now, after being a slave to IE for too long. :thLt:

Amie :amie: [/b][/quote]
I just started using Mozilla 1.5. I Got it because I was interested in there composer, but I started using the Browser and it so user friendly that I made it my default browser. Are you using the Mozilla Firebird 0.7? Could I download right over 1.5 mozilla.
Had a customer last week that had so many pop-ups in IE and I tryed deleting toobars and such to fix it, But I put in Mozilla 1.5 and started using it. I was still getting Pop-ups in IE close. I did put in paniceware pop ups stopper and it blooks all the pop ups when Mozilla is on. I am not a tech, but if it wasn't for Mozilla the computer would not operate in IE. Wanting to know more about Mozilla. I also use the composer to build web sites. It is great!! Here is a example of a family web site I built with Mozilla composer the
"The Fisherman" (http://www.gct21.net/~hughmc/)

Originally posted by Bandonisp@Dec 11 2003, 10:33 AM
I just started using Mozilla 1.5. I Got it because I was interested in there composer, but I started using the Browser and it so user friendly that I made it my default browser. Are you using the Mozilla Firebird 0.7? Could I download right over 1.5 mozilla.
Had a customer last week that had so many pop-ups in IE and I tryed deleting toobars and such to fix it, But I put in Mozilla 1.5 and started using it. I was still getting Pop-ups in IE close. I did put in paniceware pop ups stopper and it blooks all the pop ups when Mozilla is on. I am not a tech, but if it wasn't for Mozilla the computer would not operate in IE. Wanting to know more about Mozilla. I also use the composer to build web sites. It is great!! Here is a example of a family web site I built with Mozilla composer the
"The Fisherman" (http://www.gct21.net/~hughmc/)
I use both Mozilla 1.5 (default browser) and Firebird 0.7, but I specify a separate directory from the Mozilla.org folder in program files when using the Firebird installer from here (topmost in list; 0.7):

http://seb.mozdev.org/firebird/

It should cause no harm if installed to the Mozilla.org folder though.

I create a separate directory because it is my "custom" to do so.

The profiles remain separate because there will be a separate directory created in the Application Data folder to house Firebird profiles.

I also do not use default locations for profiles, another proclivity of mine. I create folders in the root of C drive to house Mozilla and Firebird profiles, you can specify profile locations upon creation (profile manager).

right away i don't like it. oh well. to each his own. i guess i'll suffer through the ie vulnerability. :wacko:

Originally posted by travislopez@Dec 11 2003, 10:33 AM
right away i don't like it. oh well. to each his own. i guess i'll suffer through the ie vulnerability. :wacko:
I was the same way! We are creatures of habit. Suggest you just poke around. Check out the preferences and do try the Mail client. I not longer use OE. Wait a couple of days and try it again. Thanks for sharing.

Originally posted by travislopez@Dec 11 2003, 11:33 AM
right away i don't like it. oh well. to each his own. i guess i'll suffer through the ie vulnerability. :wacko:
Firebird and Mozilla are both acquired tastes, I guess. I never liked IE even though it seems to function fine on my system. I just don't like the way it handles its' cache, cookies, active content etc. as well as being non-user friendly (to me anyway).

As soon as I installed my first Gecko based browser, I knew I would never be using IE except when I had to (for Windows Update), even though at the time Gecko based browsers were very immature compared to where they are now.

Firebird and Mozilla, if you give them a chance, are very capable and secure browsers, no need for third party add-ons to make them that way either (Spywareblaster, Spywareguard, IESpyad etc., etc.).

This old article:

http://www.extremetech.com/article2/0,3973...3,793358,00.asp (http://www.extremetech.com/article2/0,3973,793358,00.asp)

may give you something to think about, as much of its' warning has already come to fruition. Many of the still extant security holes that IE possesses will be exploited and I (among other alternative browser users) will be glad to still be able to use our computers and internet while IE users are concentrating on getting their machines back into working order; they probably will be installing more secure browsers after the next mass exploitation.

I just found this demonstation of the IE vulnerability that this thread was started about:

http://www.zapthedingbat.com/security/ex01/vun1.htm

I have not as yet tested it, still searching for answers to my wife's health problems and don't have time for much else.

Originally posted by LeRoi@Dec 11 2003, 07:59 PM
I just found this demonstation of the IE vulnerability that this thread was started about:

http://www.zapthedingbat.com/security/ex01/vun1.htm

I have not as yet tested it, still searching for answers to my wife's health problems and don't have time for much else.
The same type of source is also demonstrated at Secunia http://www.secunia.com/internet_explorer_a..._spoofing_test/ (http://www.secunia.com/internet_explorer_address_bar_spoofing_test/)

Here's the source for the button test you posted, LeRoi;

<BR><BUTTON style="FONT: 8pt verdana, sans-serif"
onclick="location.href=unescape('http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm');">Test
Exploit</BUTTON> <!--//-->
<script>PrxRST();</SCRIPT>

Whereas the Secunia link reads; http://www.microsoft.com
%00@secunia.com/i..._spoofing_test/ (http://www.microsoft.com
%00@secunia.com/internet_explorer_address_bar_spoofing_test/)

Even those of you who don't know a lot about web scripting can see the form of the exploit in the url.

I made a post elsewhere about this and hope you wont mind my quoting it;

"Ref; http://www.secunia.com/advisories/10395 & http://www.secunia.com/internet_explorer_a..._spoofing_test/ (http://www.secunia.com/internet_explorer_address_bar_spoofing_test/)

This and combobulated urls are a good reason to be familiar with netstat so that you can see where you are when you suspect funniness in a url. Even tho the browser reports the url as http://www.microsoft.com in their test, netstat reports it as Proxomitron.exe:1008 TCP dialup-xx-xxx-x-xx.ev1.net:1649 websrv.secunia.com:http CLOSE_WAIT
Obviously not MS.

Another thing that is handy is, you can right click on any unscripted link and choose 'copy shortcut'. When you paste the coppied url, it displays the true addy. Again from their test, the link reads; http://www.microsoft.com
%00@secunia.com/i..._spoofing_test/ (http://www.microsoft.com
%00@secunia.com/internet_explorer_address_bar_spoofing_test/)

Also, when you run into any url that you can't discombobulate, you can run whois on the IP.

Unrelated to the exploit of topic here but 'never the less' handy on occasion, is Karen's Discombobulator; http://www.karenware.com/powertools/ptlookup.asp "

I couldn't resist playing with it too; http://www.voiceofthepublic.com/test/test3a.html

Cool, Mikey! :thRt:

May I post a link at Mozillazine?

(went ahead and did, will take it down if you wish)

Originally posted by LeRoi@Dec 12 2003, 12:27 AM
May I post a link at Mozillazine?


I can see where they might be interested. :)

As always, feel free to use any link I post.

It also demonstrates that anyone can use the exploit. I did. Merijn thinks we'll see highjakers using it a lot. Even if MS gives up a fix real fast, you know how many users keep up with updates...critical or not.

Originally posted by mikey+Dec 11 2003, 08:14 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (mikey @ Dec 11 2003, 08:14 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-LeRoi@Dec 12 2003, 12:27 AM
May I post a link at Mozillazine?


I can see where they might be interested. :)

As always, feel free to use any link I post.

It also demonstrates that anyone can use the exploit. I did. Merijn thinks we'll see highjakers using it a lot. Even if MS gives up a fix real fast, you know how many users keep up with updates...critical or not. [/b][/quote]
Thanks, Mikey, thought it would be fine to do so. I like the way you worded your warning on the test page; explains well why this type of vulnerbility is so dangerous.

It would be so easy to install something you think is from a trusted source being taken in by this exploit.

Mozilla is partially vulnerable to this exploit also, the status bar does not show the complete url. This seems less serious to me because activeX, which is the predominant route of malware/spyware, will not run on Mozilla anyway.

What do y'all think?

It would be best not to depend on the status bar and be sure to read urls in the address bar before trusting websites while using Mozilla/Firebird.

Originally posted by LeRoi@Dec 12 2003, 05:01 PM
Mozilla is partially vulnerable to this exploit also, the status bar does not show the complete url. This seems less serious to me because activeX, which is the predominant route of malware/spyware, will not run on Mozilla anyway.

What do y'all think?

It would be best not to depend on the status bar and be sure to read urls in the address bar before trusting websites while using Mozilla/Firebird.

http://www.secunia.com/advisories/10419/
I'm wondering what other characters are functional.

EDIT: Not nearly the same threat level, but this means that perhaps even Mozilla users can be tricked into DLing something bogus with the use of a malformed direct DL link.

I wonder if this makes a better browser test?

SSD Home Page (http://www.safer-networking.com
%00@%77%77%77.%76%6f%69%63%65%6f%66%74%68%65%70%75%62%6c%69%63.%63%6f%6d/test/HowTo.htm)

Originally posted by mikey@Dec 14 2003, 08:07 PM
I wonder if this makes a better browser test?

SSD Home Page (http://www.safer-networking.com
%00@%77%77%77.%76%6f%69%63%65%6f%66%74%68%65%70%75%62%6c%69%63.%63%6f%6d/test/HowTo.htm)
I don't know, Mikey, but I see the "box" character in the "middle" of the url in the status bar of Mozilla (at the end), I don't see the rest of the characters though.

I get the "page not found" message when I click on your link.

This is what I get when I click on Mikey's link , using Firebird 0.7

Did you check it out in IE? I'm guessing not...I think I added a new wrinkle in that the DL link on that page behaves the same for showing the status bar and also the Windows' DL manager allows the bogus url to work.

Does this link act any diff in Firebird? I still haven't loaded FB so I have no idea how it looks there. Since IE users outnumber other browser users by a considerable amount, I'm only a little bit more than curious about whether I can exploit Mozilla.

Same page...diff url (http://www.safer-networking.com
%00@www.voiceofthepublic.com/test/HowTo.htm)

After going back through this thread, I now see that the "box" character is shown in the status bar of both Mozilla and Firebird in all the test urls, not just yours.

I have not checked in IE (yet), perhaps someone that uses the browser can tell us if the character shows or not? I guess I could break my rule and check it out in IE...

This is what the status bar displays in Firebird:

Just checked in IE6sp1 and all that is displayed in both the address bar and status bar is:

http://www.safer-networking.com

So there is no visual cue whatsoever that the link is "illegitmate" in IE.

Mozilla 1.6 has resolved this vulnerability it seems.

I now see the entire url displayed in both the status bar and location bar.

Originally posted by LeRoi@Jan 24 2004, 05:26 PM
Mozilla 1.6 has resolved this vulnerability it seems.

I now see the entire url displayed in both the status bar and location bar.
So much for Microsoft's big claim that they fix and make patches available faster then the open source community. :rolleyes: