Topic awaiting preservation: yet another vulnerability in MSIE (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=7321" title="Pages that link to Topic awaiting preservation: yet another vulnerability in MSIE (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: yet another vulnerability in MSIE <span class="small">(Page 1 of 1)</span>\$

poi Paranoid (IV) Inmate From: France Insane since: Jun 2002	posted 12-09-2003 21:48 Many already know the use of fake URLs like http://usernameassword@malicious_site.com to fool the users and make them believe they are going to a trusted site ( i.e: http://www.microsoft.com&session%124987f3a@ozoneasylum.com ). But as usual with MSIE, the thing are even worse. If you add a 0x01 character after the @ symbol in the fake URL, MSIE considers it as a string delimiter and simply show the fake part of the URL. You can see that vulnerability in action, and the release of the bug on BugTraq. I've tested the exploit in Firebird, and it does not trick the browser. You know what to do now... Mathieu "POÏ" HENRI [edit] disabling the slimies [/edit] [This message has been edited by poi (edited 12-09-2003).]
InI Paranoid (IV) Mad Scientist From: Somewhere over the rainbow Insane since: Mar 2001	posted 12-09-2003 21:58 The poster has demanded we remove all his contributions, less he takes legal action. We have done so. Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future. Don't follow his example - seek real life help first.
HZR Bipolar (III) Inmate From: Cold Sweden Insane since: Jul 2002	posted 12-09-2003 22:12 Woah. That _is_ serious.
InI Paranoid (IV) Mad Scientist From: Somewhere over the rainbow Insane since: Mar 2001	posted 12-09-2003 22:14 The poster has demanded we remove all his contributions, less he takes legal action. We have done so. Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future. Don't follow his example - seek real life help first.
poi Paranoid (IV) Inmate From: France Insane since: Jun 2002	posted 12-09-2003 22:41 That kind of vulnerability combined with a fake remake of a site can be used to steal some credit card numbers, paypal accounts ... Microsoft haven't released a fix so far, and due to their brilliant "Monthly security update" policy, it shouldn't be fixed until january. That's a good news for all the hackers around the world who wished to make some Christmas presents with your own credit card. Thank you Microsoft. Mathieu "POÏ" HENRI
Suho1004 Maniac (V) Inmate From: Seoul, Korea Insane since: Apr 2002	posted 12-10-2003 03:00 InI: I just tried your test page, but it didn't work in my browser (IE6/Win). The address bar simply displayed what I had typed into the text box. ___________________________ Suho: www.liminality.org
poi Paranoid (IV) Inmate From: France Insane since: Jun 2002	posted 12-10-2003 05:01 Suho1004: that's exactly what the vulnerability does. If you right click and look the actual location of the page, you'll see that the one displayed in MSIE's address bar stops at the 0x01 character. That way you can fool some visitors and make them believe they are surfing a gentle site while they actually are in a booby trap . Mathieu "POÏ" HENRI
Suho1004 Maniac (V) Inmate From: Seoul, Korea Insane since: Apr 2002	posted 12-10-2003 07:07 poi: Are we finished rolling our eyes at each other now? Good. Now go look at InI's test page and see what it does. You'll notice that after typing something in the text box and hitting "test exploit," the page that pops up says "Location in address bar should be http://www.microsoft.com." I was pointing out that the address bar does not, in fact, say "http://www.microsoft.com." Yes, the exploit works, but it doesn't look like it does because the page made me expect to see something else. Geez, you try to point out something and you get eyes rolling all over the place! ___________________________ Suho: www.liminality.org
Skaarjj Maniac (V) Mad Scientist From: :morF Insane since: May 2000	posted 12-10-2003 10:13 Suho: I think what InI's trying to say there is that the address bar should say www.microsoft.com becuase that's the site he's called up, instead what it's done is effectivly performed a URL mask. So a person would make a fake bak site for instance and steal people's login details by making the URL link to their address, but using this trick to mask it and make it look like the actual bank's website.
prawnstar69 Bipolar (III) Inmate From: Loughborough, Leics. UK Insane since: Sep 2003	posted 12-10-2003 10:20 can't you get free web masking thingies anyway? i know the old cjb.net ones give you the option to mask every page on your site as www.???.cjb.net so i'm sure there are sites that let you msk anything on top...
Skaarjj Maniac (V) Mad Scientist From: :morF Insane since: May 2000	posted 12-10-2003 12:28 Yes, but you couldn't get one that would mask your URL to an existing one, or one that would allow you to do harm like this would
InI Paranoid (IV) Mad Scientist From: Somewhere over the rainbow Insane since: Mar 2001	posted 12-10-2003 13:43 The poster has demanded we remove all his contributions, less he takes legal action. We have done so. Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future. Don't follow his example - seek real life help first.
Suho1004 Maniac (V) Inmate From: Seoul, Korea Insane since: Apr 2002	posted 12-10-2003 15:09 Skaarjj: No, he didn't call up Microsoft. How come nobody understands what I'm saying? quote: since it is not on a server I own, I couldn't change what is staticly built in the target page Yes, that it's right there. Now the confusion is cleared up. Thank you. ___________________________ Suho: www.liminality.org
poi Paranoid (IV) Inmate From: France Insane since: Jun 2002	posted 12-10-2003 15:26 Suho1004: After my rolling eyes, you get my tongue for not looking InI's script in details to see that he routed his test to the page I submitted in the first place. No hard feelings, I'm kidding. InI: one of the most serious kind of attack I can think of, is if someone hacks some trusted sites and replace some links with some fake URLs. Many hosts have some wide and easy to spot security holes waiting for that. Mathieu "POÏ" HENRI [This message has been edited by poi (edited 12-10-2003).]
InI Paranoid (IV) Mad Scientist From: Somewhere over the rainbow Insane since: Mar 2001	posted 12-10-2003 16:02 The poster has demanded we remove all his contributions, less he takes legal action. We have done so. Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future. Don't follow his example - seek real life help first.
norm Paranoid (IV) Inmate From: [s]underwater[/s] under-snow in Juneau Insane since: Sep 2002	posted 12-10-2003 16:43 Hmm.....maybe this is NOT a vulnerability . Perhaps it is a 'feature'. After all Mozilla has those really cool developer tools, Netscape has developer's sidebars available, so why not make IE hacker friendly....? I'm looking forward to the anonymous bulk-email feature.
Suho1004 Maniac (V) Inmate From: Seoul, Korea Insane since: Apr 2002	posted 12-11-2003 01:05 quote: you get my tongue Um, you really think we should be doing things like that in public? InI: Ah, that's a much better example. I've also noticed, though, that the link still shows the entire url and the status bar shows the same when loading the page, so it's not a complete disaster. You can detect that something funny is going on by just looking at the location in the status bar. Unless, of course, the hacker covered up the URL in the status bar, which would be quite devious. I think you'd still see the URL while it's loading, though. Granted, it still sucks, but there are ways to spot it if you're on your toes. ___________________________ Suho: www.liminality.org
poi Paranoid (IV) Inmate From: France Insane since: Jun 2002	posted 12-11-2003 01:41 Suho1004: Oops, I always forget there's some young people wandering in the asylum. You're right, about the URL appearing in the status bar while loading. Nonetheless the URL being showed on hover of a link can be easily fooled by <a href="http://www.trusted_site.com" onclick="this.href=unescape('http://www.trusted_site.com%01@www.malicious_site.com')">trusted_site</a>. As you said, it can be spotted if you're careful, but the average user and the geeks juggling with several windows/tabs could be fooled. Mathieu "POÏ" HENRI
Alevice Paranoid (IV) Inmate From: Mexico Insane since: Dec 2002	posted 12-11-2003 02:49 onmouseover="window.status='anything but the real url'; return true;" __________________________________ Sexy Demoness cel
UnknownComic Paranoid (IV) Inmate From: Los Angeles Insane since: Nov 2003	posted 12-11-2003 04:38 Also as an added benefit to the hackers, to ensure they have a Merry Christmas, Microsoft will not be publishing a patch this month .... oops, nope they are patching oh wait ... it's a repeat patch? LOL! But rest assured they are on top of the IE Bug ... _____________ Is this thing on? A Work In Progress
Suho1004 Maniac (V) Inmate From: Seoul, Korea Insane since: Apr 2002	posted 12-11-2003 05:34 Alevice: Like I said, that would work for hovering over the link, but the browser would still show the true url while loading the page. It would be easy to miss, though. I just read some of those links UC posted. I don't get it. It says about a half dozen times or so that MS is "still investigating" the security holes. What does that mean? I mean, how long does it take to investigate something like this? It took us only a few days to investigate this one, even with my dim-wittedness slowing us down. ___________________________ Suho: www.liminality.org
Kriek Maniac (V) Inmate From: Florida Insane since: Jul 2001	posted 12-20-2003 19:53 Apache mod_rewrite module code: <IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^ms/$ [url=http://www.microsoft.com@www.churchofsatan.com/]http://www.microsoft.com@www.churchofsatan.com/[/url] </IfModule> http://site.com/ms/ __________________ Jon Kriek www.phpfreaks.com
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 12-20-2003 20:14 Here's an interesting one. Someone else patched this http://openwares.org/index.php?option=com_remository&Itemid=&func=fileinfo&parent=folder&filecatid=17 .:[ Never resist a perfect moment ]:.
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 12-20-2003 21:40 Shit I'm gonna take this back. After reading the comments it looks like this patch is not ready for prime time. .:[ Never resist a perfect moment ]:.

Topic awaiting preservation: yet another vulnerability in MSIE (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=7321" title="Pages that link to Topic awaiting preservation: yet another vulnerability in MSIE (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: yet another vulnerability in MSIE <span class="small">(Page 1 of 1)</span>\$

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted 12-09-2003 21:48

Many already know the use of fake URLs like http://usernameassword@malicious_site.com to fool the users and make them believe they are going to a trusted site ( i.e: http://www.microsoft.com&session%124987f3a@ozoneasylum.com ).

But as usual with MSIE, the thing are even worse. If you add a 0x01 character after the @ symbol in the fake URL, MSIE considers it as a string delimiter and simply show the fake part of the URL.

You can see that vulnerability in action, and the release of the bug on BugTraq.

I've tested the exploit in Firebird, and it does not trick the browser. You know what to do now...

Mathieu "POÏ" HENRI
[edit] disabling the slimies [/edit]

[This message has been edited by poi (edited 12-09-2003).]

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted 12-09-2003 21:58

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

HZR
Bipolar (III) Inmate

From: Cold Sweden
Insane since: Jul 2002

posted 12-09-2003 22:12

Woah.
That _is_ serious.

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted 12-09-2003 22:14

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted 12-09-2003 22:41

That kind of vulnerability combined with a fake remake of a site can be used to steal some credit card numbers, paypal accounts ...

Microsoft haven't released a fix so far, and due to their brilliant "Monthly security update" policy, it shouldn't be fixed until january. That's a good news for all the hackers around the world who wished to make some Christmas presents with your own credit card. Thank you Microsoft.

Mathieu "POÏ" HENRI

Suho1004
Maniac (V) Inmate

From: Seoul, Korea
Insane since: Apr 2002

posted 12-10-2003 03:00

InI: I just tried your test page, but it didn't work in my browser (IE6/Win). The address bar simply displayed what I had typed into the text box.

___________________________
Suho: www.liminality.org

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted 12-10-2003 05:01

Suho1004: that's exactly what the vulnerability does. If you right click and look the actual location of the page, you'll see that the one displayed in MSIE's address bar stops at the 0x01 character. That way you can fool some visitors and make them believe they are surfing a gentle site while they actually are in a booby trap .

Mathieu "POÏ" HENRI

Suho1004
Maniac (V) Inmate

From: Seoul, Korea
Insane since: Apr 2002

posted 12-10-2003 07:07

poi:

Are we finished rolling our eyes at each other now? Good. Now go look at InI's test page and see what it does. You'll notice that after typing something in the text box and hitting "test exploit," the page that pops up says "Location in address bar should be http://www.microsoft.com." I was pointing out that the address bar does not, in fact, say "http://www.microsoft.com." Yes, the exploit works, but it doesn't look like it does because the page made me expect to see something else.

Geez, you try to point out something and you get eyes rolling all over the place!

___________________________
Suho: www.liminality.org

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted 12-10-2003 10:13

Suho:

I think what InI's trying to say there is that the address bar should say www.microsoft.com becuase that's the site he's called up, instead what it's done is effectivly performed a URL mask. So a person would make a fake bak site for instance and steal people's login details by making the URL link to their address, but using this trick to mask it and make it look like the actual bank's website.

prawnstar69
Bipolar (III) Inmate

From: Loughborough, Leics. UK
Insane since: Sep 2003

posted 12-10-2003 10:20

can't you get free web masking thingies anyway? i know the old cjb.net ones give you the option to mask every page on your site as www.???.cjb.net so i'm sure there are sites that let you msk anything on top...

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted 12-10-2003 12:28

Yes, but you couldn't get one that would mask your URL to an existing one, or one that would allow you to do harm like this would

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted 12-10-2003 13:43

Suho1004
Maniac (V) Inmate

From: Seoul, Korea
Insane since: Apr 2002

posted 12-10-2003 15:09

Skaarjj: No, he didn't call up Microsoft. How come nobody understands what I'm saying?

quote:
since it is not on a server I own, I couldn't change what is staticly built in the target page

Yes, that it's right there. Now the confusion is cleared up. Thank you.

___________________________
Suho: www.liminality.org

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted 12-10-2003 15:26

Suho1004: After my rolling eyes, you get my tongue for not looking InI's script in details to see that he routed his test to the page I submitted in the first place.
No hard feelings, I'm kidding.

InI: one of the most serious kind of attack I can think of, is if someone hacks some trusted sites and replace some links with some fake URLs. Many hosts have some wide and easy to spot security holes waiting for that.

Mathieu "POÏ" HENRI

[This message has been edited by poi (edited 12-10-2003).]

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted 12-10-2003 16:02

norm
Paranoid (IV) Inmate

From: [s]underwater[/s] under-snow in Juneau
Insane since: Sep 2002

posted 12-10-2003 16:43

Hmm.....maybe this is NOT a vulnerability . Perhaps it is a 'feature'. After all Mozilla has those really cool developer tools, Netscape has developer's sidebars available, so why not make IE hacker friendly....? I'm looking forward to the anonymous bulk-email feature.

Suho1004
Maniac (V) Inmate

From: Seoul, Korea
Insane since: Apr 2002

posted 12-11-2003 01:05

quote:
you get my tongue

Um, you really think we should be doing things like that in public?

InI: Ah, that's a much better example.

I've also noticed, though, that the link still shows the entire url and the status bar shows the same when loading the page, so it's not a complete disaster. You can detect that something funny is going on by just looking at the location in the status bar.

Unless, of course, the hacker covered up the URL in the status bar, which would be quite devious. I think you'd still see the URL while it's loading, though.

Granted, it still sucks, but there are ways to spot it if you're on your toes.

___________________________
Suho: www.liminality.org

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted 12-11-2003 01:41

Suho1004: Oops, I always forget there's some young people wandering in the asylum.

You're right, about the URL appearing in the status bar while loading. Nonetheless the URL being showed on hover of a link can be easily fooled by <a href="http://www.trusted_site.com" onclick="this.href=unescape('http://www.trusted_site.com%01@www.malicious_site.com')">trusted_site</a>.

As you said, it can be spotted if you're careful, but the average user and the geeks juggling with several windows/tabs could be fooled.

Mathieu "POÏ" HENRI

Alevice
Paranoid (IV) Inmate

From: Mexico
Insane since: Dec 2002

posted 12-11-2003 02:49

onmouseover="window.status='anything but the real url'; return true;"

__________________________________

Sexy Demoness cel

UnknownComic
Paranoid (IV) Inmate

From: Los Angeles
Insane since: Nov 2003

posted 12-11-2003 04:38

Also as an added benefit to the hackers, to ensure they have a Merry Christmas, Microsoft will not be publishing a patch this month .... oops, nope they are patching oh wait ... it's a repeat patch? LOL!

But rest assured they are on top of the IE Bug ...

_____________
Is this thing on?

A Work In Progress

Suho1004
Maniac (V) Inmate

From: Seoul, Korea
Insane since: Apr 2002

posted 12-11-2003 05:34

Alevice: Like I said, that would work for hovering over the link, but the browser would still show the true url while loading the page. It would be easy to miss, though.

I just read some of those links UC posted. I don't get it. It says about a half dozen times or so that MS is "still investigating" the security holes. What does that mean? I mean, how long does it take to investigate something like this? It took us only a few days to investigate this one, even with my dim-wittedness slowing us down.

___________________________
Suho: www.liminality.org

Kriek
Maniac (V) Inmate

From: Florida
Insane since: Jul 2001

posted 12-20-2003 19:53

Apache mod_rewrite module

code:

<IfModule mod_rewrite.c> 

  RewriteEngine on

  RewriteRule ^ms/$ [url=http://www.microsoft.com@www.churchofsatan.com/]http://www.microsoft.com@www.churchofsatan.com/[/url] 

</IfModule>

http://site.com/ms/

__________________

Jon Kriek
www.phpfreaks.com

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 12-20-2003 20:14

Here's an interesting one.

Someone else patched this
http://openwares.org/index.php?option=com_remository&Itemid=&func=fileinfo&parent=folder&filecatid=17

.:[ Never resist a perfect moment ]:.

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 12-20-2003 21:40

Shit I'm gonna take this back. After reading the comments it looks like this patch is not ready for prime time.

.:[ Never resist a perfect moment ]:.