[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition
- To: "'Drew Copley'" <dcopley@xxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition
- From: Jelmer <jkuperus@xxxxxxxxx>
- Date: Sat, 19 Jun 2004 04:31:09 +0200
>As a addendum, perhaps, though I wouldn't doubt someone
>might make some nice proof of concept code for this...
Don't mind if I do :)
The following demo will read out your logon name and your logon domain, or
at least it should :)
http://jelmer.homedns.org/test.htm
The url used is http://jelmer%2fwww.jelmer.homedns.org
The problem is that ie looks at the part before the %2f to determine the
security zone etc but then loads the url in it's entirety, like this
http://jelmer - used to determine the zone
http://jelmer/www.jelmer.homedns.org - loaded
IE treats any url it sees without a period in it such as http://jelmer as
part of the Local Intranet Zone
From the intranet zone we can easily obtain the logon name because Automatic
logon thru NTLM is enabled by default in the intranet zone.
Code at http://jelmer.homedns.org/code.zip
I excluded the rather large jcifs jar, you can download it from
http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html