lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050209125828.GC29903@jouko.iki.fi>
Date: Wed, 9 Feb 2005 14:58:29 +0200
From: Jouko Pynnonen <jouko@....fi>
To: bugtraq@...urityfocus.com
Subject: Internet Explorer zone spoofing with encoded URLs




OVERVIEW
========

The method used for Windows security zone evaluation fails when 
characters in the URL are encoded in a certain way. Internet Explorer 
can be tricked to think that a document belongs in "My Computer" zone 
when it actually resides on an Internet server. JavaScript in such 
document can be used to execute arbitrary code because documents in "My 
Computer" zone are normally trusted and given more privileges than 
documents on Internet.

A malicious user can use this vulnerability to do any action on the 
victim system with the victim user's privileges - transfer files, run 
programs, etc. No further user interaction is required apart from 
viewing a web page created by the attacker. In the e-mail attack 
scenario the victim user is usually required to click a link in the 
e-mail.



DETAILS
=======

Somewhere in the process of evaluating the security zone for URLs,
hex-decoding (the %xy notation) is done more than once for a single 
URL, ie. the decoded URL is decoded again. This causes some undesired 
effects if the URL contains certain special characters multiply 
encoded.

Unlike some other operating systems, Windows allows the % sign in 
hostnames, so a URL containing such encoding works in Internet Explorer 
- given that the hostname resolves correctly to the attacker's IP 
address. The attacker can then host e.g. an HTML document on the 
server, which Internet Explorer misinterprets as belonging in "My 
Computer" zone.



VULNERABLE VERSIONS
===================

A proof-of-concept exploit was tested with Internet Explorer 6 on 
Windows 2000 and Windows XP. The exploit successfully launches an 
attacker-supplied EXE program when the victim user visits a web page 
containing the exploit. A full list of vulnerable versions is included 
in Microsoft's bulletin (link below).



VENDOR STATUS
=============

Microsoft was informed of the problem on February 16th, 2004. A 
preliminary patch was first produced in September 2004 and Microsoft 
sent it to me for testing. However it turned out that the fix didn't 
correctly protect from a variation of the exploit, so the release was 
delayed.

The final patch and Microsoft's bulletin is available at

  http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnönen, 
Finland.




-- 
Jouko Pynnönen          Web: http://iki.fi/jouko/
jouko@....fi


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ