New IE Bug Hides Real Site Address 683
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
Link to POC test (Score:5, Informative)
The example misuse (Score:4, Informative)
http://www.zapthedingbat.com/security/ex01/vun1.h
A demonstration (Score:4, Informative)
Click here [ZapTheDingBat.com] [zapthedingbat.com] to see an example of how it is done...
Opera and Mozilla (at least firebird) handles it properly :-)
Works fine on IE (Score:2, Informative)
Not a problem in Opera (Score:5, Informative)
IE Mac is fine (Score:5, Informative)
Re:See also (Score:4, Informative)
The %01 part should come _before_ the @... and no, it is not just as simple as this... the url must also be unescaped..
See Here [DevGuru] [devguru.com] if you don't know what to 'unescape' means...
(Yes, this means that it will be difficult pulling this one off over i.e IRC, where special characters don't necessarily show up on other peoples terminals)
check here to test your browser (Score:5, Informative)
Of course, you have to use Internet Explorer to see it.
Internet Explorer is usually found under C:\Program Files\Internet Explorer
Re:Works fine on IE (Score:3, Informative)
What is your version-number? Mine is 6.0.2800.1106, and I can confirm that its working (infortunately)...
Have tried some examples? Such as this one? [zapthedingbat.com] [zapthedingbat.com]
Re:Not patching this month...... (Score:5, Informative)
Re:This bodes ill (Score:5, Informative)
I'm sure it's main 'use' will be HTML e-mails which lead consumers to fake ebay and paypal sites.
Re:Not just an IE bug... (Score:3, Informative)
http://www.microsoft.com@zapthedingbat.com/secu
Re:IE Mac is fine (Score:1, Informative)
IE 5.2 for mac was well ahead of IE 5 for windows - in terms of rendering speed, css/dom support, and stability.
why? i have no frickin' clue.
Re:IE Mac is fine (Score:5, Informative)
We're not who we are ... (Score:0, Informative)
<P>
I figured that if google was doing crap like that, there would have been something in the news. I ran my virus checker and my spyware cleaners, found a few things, removed them, and then went back to google. The same thing was happening.
<P>
It is a clever trick. The page looks exactly like google and, when you choose the other search pages (2 and above) searches work. However, the selection for 1 no longer links to anything. When you go to other googles overseas or use the direct IP address, google works correctly. On other PC's on my network, google works correctly.
<P>
The bogus sponsored links are either to 216.221.138.95 or to something called searchassistant.net. The pop-up that comes up is linked to epsilon.searchassistant.net. Linking to searchassistant.net brings up a page claiming to be under construction and offering a link to uninstall searchassistant spyware. I haven't tried that because I have work stuff to do on this PC and don't have time to reintall Windows or something if that blasts me with more crud.
<P>
I dug around through the registry and the C drive and found several odd keys and files referring to google and searchassistant. I removed all I could find without any effect. I'm not an expert so I must have missed stuff. There is also a strange application that keeps appearing on my C drive called msdos.exe. It is not DOS and always restores when I remove it.
<P>
These people are scum and should be abused and sanctioned. It is one thing to hit people with popups and another to present fake web-sites. Also, I never allowed anything to download and I know I didn't make a mistake. I'm not THAT much of a newbie. These people are basically virus writers. Also, if you are adult site surfing, never ever go to p***y.com. This is the site that infected my PC with this searchassistant crap.
<P>
As I said, I'm not an expert, basically a normal user with enough know-how to be dangerous. If anything I wrote is obvious or stupid, then I apologize
Re:IE Mac is fine (Score:4, Informative)
You would think so, wouldn't you? No, a separate development team worked on IE for the Mac; the codebases weren't unified at all. From all reports, IE on the Mac was better than IE on Windows in many ways, particularly standards compliance. Go figure!
Re:Not a problem in Opera (Score:4, Informative)
http://www.scps.nyu.edu [nyu.edu] and
http://www.expensable.com [expensable.com]. (expensable.com, by the way, is an excellent showcase for bad design, but most of it you'd have to log in to see. For example, the main interface is in a popup, and if you have popups blocked, you just can't log in, and it gives you no indication why.) Try going to either of those sites with your User-Agent string set to something unusual. Sure, you and I know how to change that...but for my mom, who can't even figure out how to change her Windows desktop image on her own, that's going to be a deal-breaker.
Still.. (Score:3, Informative)
And no, this bug won't work on slashdot since slashdot removes the username parts of a URL, and also removes the DOS smileyface character from posts.
Re:Not patching this month...... (Score:5, Informative)
If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol
http://www.zdnet.com@slashdot.org
No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:
http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml
will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:
http://www.yahoo.com
Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)
And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.
Re:That isn't much better though! (Score:2, Informative)
Seems like a damn fine idea to me. If all browsers already had this functionality, It would have prevented this [bbc.co.uk] from happening.
Re:This bodes ill (Score:5, Informative)
I even tried various combinations, including a javascript: in the href tag and it did not work -
<a href="javascript:location.href=unescape('http://w
Not as bad as it could be. Atleast not yet.
Re:Works fine on IE (Score:2, Informative)
<script language="javascript">
document.write(unescape('
</script>
will give you a URL that you can put into an unscripted link something like this, but with the %01 encoded and displayed as a box.
<a href="http://www.microsoft.com[encoded %01]@zapthedingbat.com/security/ex01/vun2.htm">ex
Re:Current example. (Score:2, Informative)
webpagesthatsuck.com's demo of this exploit [webpagesthatsuck.com]
Supply a link, this article says IE only. (Score:4, Informative)
Results of the exploit in different browsers (Score:3, Informative)
That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.
I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".
Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.
ASCII 0 [rit.edu]
ASCII 1 [rit.edu]
(Below are the browsers I just happen to have installed)
IE6 for windows (for sake of having a control):
0 brings you to goatse.cx with http://goatse.cx in the address bar
1 brings you to goatse.cx with http://slashdot.org in the address bar
Opera 7.23 for windows and Opera 7.11 for FreeBSD:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org^@goatse.cx/ in the address bar, where ^ is ASCII 1.
Note: Opera brought up a dialog box warning you that the link was to a site with a username in the URL on the ASCII 1 link.
Mozilla Firebird 0.7 for windows and Mozilla 1.5 for Windows:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org%01@goatse.cx/ in the address bar
So of the browsers tested, the vulnerability only works in IE, and only for ASCII 1.
Doesn't affect my version of Mozilla (Score:4, Informative)
If any Mozilla versions later than 1.4.1 were to be affected, I'm willing to bet the Mozilla release would be patched within a day, whereas Microsoft would take a minimum of two weeks and a max of maybe never.
Re:Not patching this month...... (Score:5, Informative)
Yes, things like FTP logins rely on that. URLs are subsets of URIs which have a lot more useful things.
For example, if you need to go to a FTP site that has a login, you can type in your address bar:
ftp://user:pass@ftp.mysite.com
That will automatically log you in with your user name and password. You could also do just:
user@ftp.mysite.com
And it will prompt you for your password
Re:Mozilla vulnerable also (Score:1, Informative)
IE displays href="http://www.yahoo.com%00@www.hotmail.com" as www.yahoo.com when it is actually a link to www.hotmail.com in the status bar at the bottom of the browser and it also shows that link as one to "http://www.yahoo.com" when you view the properties of the link. Unfortunately I can't demonstrate this in this post as I intended as Slashdot reoves everything before the www.hotmail.com.
Mozilla 1.3 also shows the link as being to www.yahoo.com although it is actually to www.hotmail.com, although Mozilla 1.3 DOES correctly show the link properties as "http://www.yahoo.com%00@www.hotmail.com".
Consequently, Mozilla also needs to fix their browser, although only in one of the two ways that IE needs to fix their browser.
Re:Not patching this month...... (Score:2, Informative)
First step to be the 'most clueful geek':
Don't use IE.
Re:Works fine on IE (Score:3, Informative)
The new version doesn't fool the address bar, but I wouldn't be surprised if there's some combination of characters that does.
Re:Cert? (Score:3, Informative)
Who's going to inspect and notice it wasn't issued to the right corporation?
Well, hopefully any paranoid IE user, for now.
Re:Similar IE bug (Score:1, Informative)
Of note, you will get a security warning above because "paypal.com" does not match "my name is green"
az@blizzle
Firebird fails in the status bar, sort of (Score:5, Informative)
Re:Why is there an @ at all? (Score:4, Informative)
Basically, it allows you to specify a username and possibly a password as part of a URL. http://w:x@y.com says to connect to y.com with username w, password x. The URL http://w@x.com means to connect to x.com with username w. This is not in particularly common use for HTTP, but it can be useful for sites that use HTTP authentication.
Web servers ignore the username and password if you connect to a page that doesn't require authentication, so for most sites, everything before the @ is simply ignored.
So this really is part of a standard, and it exists for a good reason. It's not a redirection at all, but simply a part of the URL standard that isn't used often enough for people to know what it means. The whole spoofing this is a completely unintended consequence of that.
Re:Not patching this month...... (Score:3, Informative)
"%00" will hide the link in the tooltip and the status bar on both Mozilla and IE. Although Mozilla will correctly display the entire link in the link properties where IE only displays up to the "%00" here also.
"%01" will not hide the link in the tooltip or the status bar in either Mozilla or IE, but it will make the location bar only show up to the "%01" in IE after you click on the link.
Re:This bodes ill (Score:2, Informative)
Re:Firebird fails in the status bar, sort of (Score:2, Informative)
It quite common for webmasters to use the trick with external links that get redirected from a "click-through counter" page before sending you off to the actualy URL.
Re:The patch they should issue! (Score:3, Informative)
Yes, it sucks. But we're a business and we can't lead technology change. Just be thankful we don't use
The one piece of good news in this is . . . (Score:3, Informative)
Re:Not patching this month...... (Score:1, Informative)
Actually, I have just tested this on Mozilla Firebird 0.7. Partialy it is also vulnerable. Once you click on the link you will see complete fake URL (in case of their test http://www.microsoft.com%01%00@secunia.com/intern
but in the status bar I only could see http://www.microsoft.com<some_unreadable_characte