| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <005801c455a5$7e7e0790$3200000a@alex> Date: Sat, 19 Jun 2004 04:31:09 +0200 From: Jelmer <jkuperus@...net.nl> To: "'Drew Copley'" <dcopley@...e.com>, bugtraq@...urityfocus.com, ntbugtraq@...tserv.ntbugtraq.com, full-disclosure@...ts.netsys.com Cc: brett.moore@...urity-assessment.com, 1@...ware.com Subject: RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition >As a addendum, perhaps, though I wouldn't doubt someone >might make some nice proof of concept code for this... Don't mind if I do :) The following demo will read out your logon name and your logon domain, or at least it should :) http://jelmer.homedns.org/test.htm The url used is http://jelmer%2fwww.jelmer.homedns.org The problem is that ie looks at the part before the %2f to determine the security zone etc but then loads the url in it's entirety, like this http://jelmer - used to determine the zone http://jelmer/www.jelmer.homedns.org - loaded IE treats any url it sees without a period in it such as http://jelmer as part of the Local Intranet Zone >From the intranet zone we can easily obtain the logon name because Automatic logon thru NTLM is enabled by default in the intranet zone. Code at http://jelmer.homedns.org/code.zip I excluded the rather large jcifs jar, you can download it from http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists