Internet Explorer URL Spoofing Vulnerability

Secuina ^ | 12/09/03 | Zap The Dingbat

[Salo]

Internet Explorer URL Spoofing Vulnerability

Secunia Advisory: SA10395 Release Date: 2003-12-09 Last Update: 2003-12-11

Critical: Moderately critical Impact: ID Spoofing

Where: From remote

Software: Microsoft Internet Explorer 6

Description: A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.

The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL.

Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page.

This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars.

Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com": http://www.trusted_site.com%01%00@malicious_site.com/malicious.html

A test is available at: http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

The vulnerability has been confirmed in version 6.0. However, prior versions may also be affected.

Solution: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities.

Don't follow links from untrusted sources.

Reported by / credits: Originally discovered by: Zap The Dingbat

Status bar variant reported by: Chris Hall

Changelog: 2003-12-11: Linked to test. Added information regarding variant, which makes it possible to spoof URL in the status bar as well.

[Salo]

This one's a Doozy. Be very careful, Freepers.

[Salo]

Technical Ping.

[Salo]

The Mac version of IE is not affected. For Windows, the Mozilla variants are ok.

[EdReform]

BTTT

[AppyPappy]

http://www.uva.edu Cool!!

[flashbunny]

hmmm - may have to go back to netscrape.

[Malsua]

Yup, this is a big one.

Expect vast volumes of porn links to be disguised in this manner very soon.

[Salo]

Porn links are merely offensive. Think of a fake MS Patching site, or fake financial institutions. You could wreak havok with trojans or could steal identities with ease - and the redirect is trivial.

And did I mention no patch in Dec?

[Salo]

You're evil. I like it! :-)

[Malsua]

>>Porn links are merely offensive. Think of a fake MS Patching site, or fake financial institutions. You could wreak havok with trojans or could steal identities with ease - and the redirect is trivial. <<

Agreed, except there will certainly be porn links which disquised will lead to sites where malicious scripts can run. The financial and banking bits are indeed disturbing.

Like.. "click here to go to paypal" And it takes you to a paypal login page at Paypal.com but it's not paypal. It's scumbag.com.

Glad i'm doing most of my browsing in firebird these days.

[Malsua]

pretty easy too...now as to how they did that FQDN change...must be some additional scripting required.

Welcome to Cornell University!

[sd-joe]

Has anybody validated that this is true?

[smith288]

Awesome! http://www.dnc.org <-- Visit the DNC platform!

[smith288]

Has anybody validated that this is true?

I dont know...go here for more info http://www.mcAfee.com

[AppyPappy]

Look at the replies here. We are doing it.

[smith288]

OOOPS!

Awesome! http://www.dnc.org <-- Visit the DNC platform!

[4CJ]

Use Opera - not affected.

[antiRepublicrat]

And to think this was the month in which Microsoft said it wouldn't be releasing any patches. They just accidentally released one for an older bug, and now they're going to have to release one for this.

It's really sad that it's big news when Microsoft says it's going to go just one month without having to patch their OS, but then they have to anyway.

Luckily my main browser is Mozilla even when I'm on Windows.

[Never_take_me_seriously]

Of the browsers I have on my system:

IE 4 failed
Netscape 4.7 passed
Netscape 7.01 passed

(I only use IE to check cross-browser compatibility in my HTML.)

[Salo]

Alas, that puts you in a very small minority. What % does IE have? Like in the 80s or something? I use it here at work, but at home I use Safari.