lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 08 May 2004 11:10:08 -0600
From: Brett Glass <brett@...iat.org>
To: bugtraq@...urityfocus.com
Subject: Status bar exploit hides spoofed URLs Eudora, possibly other
  e-mail clients


Eudora (as well as, possibly, other e-mail clients) is susceptible to an 
exploit which can be used to conceal a fraudulent URL. In a fraudulent 
("phishing") spam I received this morning, the sender inserted a large 
number of character entities (in this case, spaces, coded as &#32) into 
the middle of a URL to force the remainder off the right side of the 
status bar, hiding the true destination:

<a href="http://www.e-gold.com.
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
@egegold.com/"><span lang=EN-US
style='mso-ansi-language:EN-US'>http://www.e-gold.com/alert</span></a><br>

When the mouse pointer is passed over the URL, the status bar at the 
bottom of the screen shows

http://www.egold.com

and does not reveal the spoofed URL. One must view the message source to 
see the actual URL.

This technique is known to work on some browsers, but this is the first 
time I've seen it used to spoof e-mail clients.

I am told that if the URL gets much longer, recent versions of Eudora 
will overflow a buffer in a way that is exploitable by malware. This 
particular phishing expedition doesn't seem to take advantage of that 
vulnerability, hoever.

--Brett Glass



Powered by blists - more mailing lists