[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] IE 0x01 Byte URL Spoofing Vulnerability[Scriptless PoC Exploit & Additional Details]

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] IE 0x01 Byte URL Spoofing Vulnerability[Scriptless PoC Exploit & Additional Details]
From: S G Masood <sgmasood@yahoo.com>
Date: Fri, 12 Dec 2003 13:30:02 -0800 (PST)

 
 

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Hello all,



There is a big misconception about the recent 0x01 URL Spoofing vuln. in 
several peoples' mind that scripting is necessary for exploitation. However, 
this is not the case. Instead of using the %01 sequence and unescaping it[1] 
like in all the exploits posted till now, an hex editor can be used to directly 
embed the 0x01 byte in the URL. I have attached a proof of concept exploit to 
demonstrate this issue.

[1] unescape('http://www.a.com%01@b.com/spoof.htm');


Although, the actual vulnerability is very simple, there has been a lot of 
confusion with people misunderstanding its nature, scope and exploitation 
inspite of the presence of a number of proof of concept exploits. Apart from 
this, many other ideas and exploits have been presented by several people for 
both mitigation and better exploitation. A few facts about this vulnerability 
are presented below. I hope this clears some of the confusion.

1. This is only possible with the 0x01 byte.
2. SCRIPTING is NOT NECESSARY to exploit this vulnerability. A hex editor can 
be used to embed the 0x01 byte. See the attached exploit.
3. This is not the same as the infamous "http://a@b URL Obfuscation" technique 
that is mostly used by spammers.
4. If the %01 sequence is used, it is necessary to unescape() it.
5. IMO, this issue is not caused by an anomaly in IE's handling of 
non-printable characters.
6. According to current information in the public domain, no other browser 
except IE and dependant SW like Outlook is vulnerable to this issue. So this is 
a Microsoft specific issue.
7. Other techniques like adding a null byte, using onmouseover or onclick, 
using %09, etc are used to obfuscate the malicious link in the status bar when 
the mouse is hovered over the link. These are not part of the 0x01 URL Spoofing 
vulnerability and completely unrelated.
8. It is not necessary to tie the malicious URL to a button.
9. This vulnerability is really critical. Reasons have been discussed in great 
detail on the lists. Think about the ease of exploitation, no scripting 
required, etc...


Regards,


--
S.G.Masood

Hyderabad,
India.

Attachment: PoC.zip
Description: PoC.zip

Follow-Ups:
- Re: [Full-Disclosure] IE 0x01 Byte URL Spoofing Vulnerability[Scriptless PoC Exploit & Additional Details]
  - From: Piotr Bulczak <piotr.bulczak@pl.abb.com>

Prev by Date: [Full-Disclosure] Re: A new TCP/IP blind data injection technique?
Next by Date: [Full-Disclosure] Re: A new TCP/IP blind data injection technique?
Previous by thread: Re: [Full-Disclosure] Secunia Advisory: URL Spoofing
Next by thread: Re: [Full-Disclosure] IE 0x01 Byte URL Spoofing Vulnerability[Scriptless PoC Exploit & Additional Details]
Index(es):
- Date
- Thread