Realy fucking bad bug in MSIE

[Faram]

Okay here is a bad bug! Be really careful when you surf with IE

Exploit info and demo:
http://www.zapthedingbat.com/security/ex01/vun1.htm

In short the adress you see in the adress filed might not be the one you are visiting!

[Mad]

I've known about this for a long time... it's common to see the spoofing done in forged e-mails, to try to get you to go to a site to give up personal information.

Also, it seems Mozilla Firebird has the same problem (I went to the test page with it), so it's not just limited to IE for those who don't double-check the URL displayed on the address bar... though Firebird does display the rest of the URL.

[Faram]

I've known about this for a long time... it's common to see the spoofing done in forged e-mails, to try to get you to go to a site to give up personal information.

Also, it seems Mozilla Firebird has the same problem (I went to the test page with it), so it's not just limited to IE for those who don't double-check the URL displayed on the address bar... though Firebird does display the rest of the URL.

It's not a http://www.somesite.com@www.siteyou.are.seeing.com

It's you see www.microsoft.com in the adress filed but the site hosting the info is www.weroxxuass.com

[Faram]

Here is the advicory:

Internet Explorer URL Spoofing Vulnerability

Secunia Advisory: SA10395
Release Date: 2003-12-09
Last Update: 2003-12-11

Critical: Moderately critical
Impact: ID Spoofing
Where: From remote

Software: Microsoft Internet Explorer 6


Description:
A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.

The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL.

Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page.

This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars.

Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com":
http://www.trusted_site.com%01%00@malicious_site.com/malicious.html

A test is available at:
http://www.secunia.com/internet_explore ... fing_test/

The vulnerability has been confirmed in version 6.0. However, prior versions may also be affected.

Solution:
Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities.

Don't follow links from untrusted sources.

Reported by / credits:
Originally discovered by:
Zap The Dingbat

Status bar variant reported by:
Chris Hall

Changelog:
2003-12-11: Linked to test. Added information regarding variant, which makes it possible to spoof URL in the status bar as well.

Please don't assume just because you know of one bug all the buginfo regarding IE is the same.

[Hamel]

This bug is abused by almost every porn site on the web

You click on one link, expecting to find a juicy AVI, but it sends you to the index of some pay site

[Faram]

This bug is abused by almost every porn site on the web

You click on one link, expecting to find a juicy AVI, but it sends you to the index of some pay site

Nope it's much worse than that!

Take a look at this screenshots from my computer:





It only says microsoft in the adress field and the status field but the page serving this is :
Explot page

Or this:

Use cut & Paste direct linking don't work.

Explot page

The second example is the dangerous one click it and for all intents and purposes it looks like symantec's page.

Now image a con going like this:

1. send out a mail countaining this info:
Get all symantec products for $20 juct click this link.

2 You click the link and it says www.symantec.com on top and the status field says symantec.

3. You click the pay icon and get a secure connection with certificates and everything!

4. You enter your credit card information.

5. You are owned the site you entered information into is not symantec but a russian credit card harvester that now has your credit card numer, expire date, security code and your name!.

THIS IS REALLY FUCKING BAD DONT COMPARE IT TO REMOTE LINKING AND STUFF:

And please before comenting seen this before and crap.

Got to the FUCKING demo page with Internet Explorer and try it out!

This is the biggest godamn identity theft risk EVER!

[phongn]

Holy shit. This is heading up.

[Faram]

Thanx Phongn.

Oh and as icing on the cake.

There is NO fix for this yet.

The only way to be safe.

DON’T USE INTERNET EXPLORER

Get mozilla,firebird, opera whatever just DON’T USE MSIE!!!!

Please trust me on this one I work with security and this is about the worst exploit ever. The ramifications are huge!

[Einhander Sn0m4n]

Corollary: Don't expect a fix from Microsoft. We may be lucky, but still, dont expect a fix.

Get Mozilla ASAP.

[phongn]

Corollary: Don't expect a fix from Microsoft. We may be lucky, but still, dont expect a fix.

Cease with the mindless Microsoft bashing, Ein. Microsoft will release a patch for this.

[Faram]

Microsoft's reply:

http://support.microsoft.com/?id=833786

SUMMARY
When you point to a hyperlink in Internet Explorer, Outlook Express, or Outlook the address of the Web site typically appears in the Status bar. After you click a link that opens in Internet Explorer, the address of the Web site typically appears in the Internet Explorer Address bar and the title of the Web page typically appears in the Title bar.

However, a malicious user could create a link to a deceptive (spoofed) Web site that displays the address, or URL, to a legitimate Web site in the Status bar, Address bar, and Title bar . This article describes steps that you can take to help mitigate this issue and to help you identify a deceptive (spoofed) Web site or URL.
MORE INFORMATION
You can take the following actions to help make sure that you are visiting the Web site that you intend to visit.

Make sure that the Web sites are using Secure Sockets Layer/Transport Layer Security (SSL/TLS) before you type any sensitive information. To do this, verify that the lock icon appears in the lower right corner of the Internet Explorer window. Also, check the certificate that you use when you visit SSL/TLS Web sites. For additional information about how to do this, visit the following Microsoft Web site:
http://www.microsoft.com/security/incident/spoof.asp

To help identify the URL for a link
To help identify the URL for a link in Internet Explorer:
Right-click the link, and then click Copy Shortcut.
Click Start, and then click Run.
Type Notepad, and then click OK.
On the Edit menu in Notepad, click Paste
To help identify the URL of a Web page
To help identify the URL of the Web page you are currently viewing in Internet Explorer use one of the following methods:
Method 1:
Use a JScript command in Internet Explorer. In the Address bar, type the following command, and then press ENTER:

javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");

The JScript message box shows the actual URL Web address for the Web site that you are visiting.
You can also copy the following JScript code and paste it in the Address bar for a more verbose description of the Web site URL:

javascript:alert("The real URL is: " + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is: " + location.href + "\n" + "If the server names do not match, this may be a spoof.");
Method 2:
In the scenarios that Microsoft has tested, you can also use the History Explorer Bar in Internet Explorer to help identify the URL of a Web page. On the View menu, point to Explorer Bar, and then click History. Compare the URL in the Address bar with the URL that appears in the History bar. If they do not match, the Web site is likely misrepresenting itself and you may want to leave the site by typing a new URL or exiting Internet Explorer.


Additional information
Consider taking the following actions to help increase your Internet security.

Note These actions do not help you to identify a deceptive (spoofed) Web site or URL. However, they restrict e-mail messages and Web sites in the Internet zone from running scripts, ActiveX Controls, and other potentially damaging content.
Use your Web content zones to help prevent Web sites that are in the Internet zone from running scripts, running ActiveX Controls, or running other damaging content on your computer. First, set your Internet zone security level to High in Internet Explorer. To do so, follow these steps:
On the Tools menu, click Internet Options.
Click the Security tab, click Internet, and then click Custom level.
Move the slider to High, and then click OK.
Next, add the URLs for Web sites that you trust to the Trusted Sites zone. To do so, follow these steps:
On the Tools menu, click Internet Options.
Click the Security tab.
Click Trusted sites.
Click Sites.
If the sites that you want to add do not require server verification, click to clear the Require server verification (https:) for all sites in this zone check box.
Type the address of the Web site you want to add to the Trusted sites list.
Click Add.
Repeat steps 6 and 7 for each Web site that you want to add.
Click OK two times.
Read E-mail Messages in Plain Text.

For Outlook 2002 and Outlook 2003:


307594 OL2002: Users Can Read Nonsecure E-mail as Plain Text

831607 How to View All E-Mail Messages in Plain Text Format in Outlook 2003



For Outlook Express 6.0:
291387 OLEXP: Using Virus Protection Features in Outlook Express 6

By following the steps in these articles, you can see the full URL of any hyperlink and you can examine the hyperlink address that Internet Explorer will use. If the URL contains any one of the following characters, it could lead to a spoofed Web site:
%00
%01
@

[Faram]

More info from Microsoft.

Linky

Take Steps to Avoid Getting Tricked by Spoof Websites

December 12, 2003




During the hectic holiday season, many shoppers rely on the convenience and speed of shopping online. If you're among them, be sure to use the same level of caution on the Web that you would use at a crowded mall or gift shop. Otherwise you could be taken advantage of by malicious individuals. And unfortunately this year, the holiday shopping season is coinciding with a rise in spoofing on the Web.

In a spoofing attack, you can be misled into visiting a malicious website. The site typically tries to trick you into taking some type of unsafe action. These attacks are becoming more common and are hard to detect, so all shoppers need to be cautious about the websites they visit and the actions they take.
What Can Happen—And How to Avoid It

Malicious hackers and virus writers can lure you to their spoofed websites, where you can be tricked into downloading a harmful virus or revealing personal information. They can do this by sending you deceptive e-mail or by enticing you to click a link to a malicious website.

You can increase your online safety by checking the security of the website you're on before submitting any personal information, make sure there's a yellow lock icon on the Microsoft® Internet Explorer status bar. This symbol signifies that the website uses encryption to help protect any sensitive personal information—credit card number, Social Security number, payment details—that you enter.



Secure site lock icon. If the lock is closed, then the site uses encryption.


Double-click the lock icon to display the security certificate. When you check the certificate, the name following Issued to should match or be similar to the site you think you are on. If the name differs greatly, you may be on a spoofed site. If you are not sure whether a certificate is legitimate, do not enter any personal information. Play it safe and leave the website.



Legitimate certificate. When new subscribers sign up for MSN® services, they can match the Issued to domain name (msn.com) to the website domain name (also msn.com).


Also, be cautious about clicking links in e-mail messages or in online ads from retailers you don't recognize or trust. If you have any doubt about a link, do not click it. Instead, type the website address into the address bar of your Web browser, or try to confirm that the link is legitimate. Remember, if an offer sounds too good to be true, it probably is.

Some images missing clicky on da linky!

[Sriad]

:Gives his Mozilla a hug:

[Isil`Zha]

Whoa, and very very easy to do (I just did it myself as an example on another forum)

hmm... I may have to post this problem elsewhere

[RogueIce]

One thing I noticed on the spoof site, is when you look at another link in the status bar, or click on any other link, it will all say microsoft.com on it.

Of course, if it's in frames you wouldn't notice it anyway in the title bar, but if every link I go to has the address I'm already pointing at in the status bar, I'd be suspicious...

Of course, I'm using IE 5 here. Shows how up to date I am.

[Isil`Zha]

One thing I noticed on the spoof site, is when you look at another link in the status bar, or click on any other link, it will all say microsoft.com on it.

Of course, if it's in frames you wouldn't notice it anyway in the title bar, but if every link I go to has the address I'm already pointing at in the status bar, I'd be suspicious...

Of course, I'm using IE 5 here. Shows how up to date I am.

Well, that 'trick' only has to be done to the first link, and automatically after that every subsequent *normal* link will show up the same like that - however, if that trick is used in ever subsequent link on the site to show a different URL in every section of the site then it becomes a bit harder to notice.....

[Faram]

First scumbag in jail for using this bug when Phishing.

The Register

[Faram]

Sorry for da necro but this patch:

Microsoft.com

Fixes this.

This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:

http(s)://username:password@server/resource.ext