[Dshield] *** SDG Security Alert *** URL Parsing Vulnerability

Ben Robson ben at robson.ph
Thu Dec 11 15:45:40 GMT 2003

*Purpose:* 	*SecureData Group Security Alert*
Subject: 	URL parsing vulnerability.
Threat Level: 	*Medium*
Date: 	12th December 2003
Systems Affected: 	Microsoft Internet Explorer 5 & 6
Outlook Express 6
Mozilla Firebird 0.7 (unconfirmed)

    Microsoft Internet Explorer is the primary World Wide Web browser 
package used on the Microsoft Windows & Macintosh operating systems.  
Microsoft Outlook Express is the default email client provided to all 
users of the Microsoft Windows operating system, along with the Internet 
Explorer browser.  With such a dominance of the desktop PC market space 
any vulnerability that might be proven to exist has a very high 
potential to be exploited by malicious users.  The Mozilla Firebird web 
browser is an early development release of an alternate web browser.

    A vulnerability has been identified that allows a link to be given 
to the WWW browser, via a web site, email or other mechanism, that will 
send the browser or email client to a page of content, but indicate 
within the URL Address (location) bar an incorrect address.  For 
example, a link may direct the user to a web site address of 
"http://www.foobar.not.real/index.html" but upon displaying the served 
content the browser can be made to display the URL 

    As a result of this vulnerability a malicious user may be able to 
create a series of fake websites and/or web pages that look like a 
legitimate company, and ask the user for credit card details.  However 
upon going to the page, inspite of what the URL states, the user is in 
fact at the malicious users web site.  As a result the user may 
unwittingly enter important personal information in to the displayed web 
site.  Using a technique such as this with the recent 'eBayUpdates' scam 
would have made the scam almost impossible to detect until it was too 
late for many thousands of victims.


*Who is Affected:*
    All users of Microsoft Internet Explorer 5 or 6 are affected by this 

    All users of Microsoft Outlook Express 6 are affected by this 

    All users of Mozilla Firebird 0.7 (Linux & Windows) are affected by 
this vulnerability.

    It has been suggested that the following versions are not vulnerable:
       - Internet Explorer 5.00.3700.1000 (SP4, Q824145)      - unconfirmed


*Symptoms if Exploited or Targeted:*
    Causing a victim to fall prey to this vulnerability requires the 
ability to present an HTML encoded WWW link.  Such a link is one whereby 
the full URL has been hidden or labeled, as per a normal web site button 
or link.  The encoded link may be presented to the user as a link on a 
web site, a graphical or form button on a web site, or any of these 
methods within an email message.

     Identifying that you have fallen victim to this vulnerability may 
prove very difficult.  Without spending impractical amounts of time 
investigating the source of all data sent to the web browser  the user 
has no appropriate means of determining that they have been sent to an 
illegitimate site.

    It is best to ensure that users of the Internet Explorer or Mozilla 
Firebird browsers only follow links to web sites that they know to be 
good and that users do not follow WWW links presented to them within a 
received email message, if using Microsoft Outlook Express 6.


    The following actions are recommended as short term and long term 
tactics in response to this threat.
     */ Mitigation:/*
      Advertise to all users within your organisation, using the 
Microsoft Internet Explorer, Mozilla Firebird 0.7 World Wide Web 
browsers or the Microsoft Outlook Express email client that they should 
treat all present WWW links with due caution and suspicion. Users should 
be instructed to not follow web site links on web pages they can not be 
100% confident have not been tampered with or are potentialy points of 
attack.  Extreme caution is urged when using the web sites of smaller 
organisations, associations or individuals.  Users should be urged to 
not follow WWW links presented to them in received email messages, 
unless they can independently verify their validity.

      /*Permanent Repair:*/
      As yet no patch for this vulnerability is available from the vendors.

      Administrators should contact their vendors to enquire as to the 
likely release date/time of a patch.


      On the 9th of December 2003 a vulnerability was identified within 
version 6.0.2800.11.06C0 of the Microsoft Internet Explorer World Wide 
Web browser.  The vulnerability identified related to the method by 
which URLS were parsed by the browser when a "%01@" or "0x01@" is 
included in the URL.

      When a URL is crafted to contain  either the encoding "%01@" or 
"0x01@" the web vulnerability in question will interpret the URL in such 
a way that the contents to the right of the encoding would be loaded and 
displayed within the web browser, whilst the URL Address bar would stop 
displaying the URL at the begining of the "%01@" or "0x01@" encoding.  
As a result of this a URL encoded as 
"http://www.microsoft.com%01@www.foobar.not.real/index.html" would 
display the contents located on the "www.foobar.not.real/index.html" WWW 
server, whilst placing the URL "http://www.microsoft.com" in to the 
browser Address bar.

      The result of this is that an attacker may set up a web site that 
contains a link entitled "eBay Accounts" that when selected takes the 
browser to a web site that looks exactly like an eBay web site, and has 
the eBay.com URL in the Address bar.  However the content may be 
displayed from a completely seperate web server, that is not affiliated 
with eBay in any manner.  The outcome of this is that the user of the 
browser may easilly be convinced to enter their personal details 
(credit-card details, social security details, etc...) in to the 
fraudulant web site.

       A working example of the exploit may be observed at the following 
site:  http://www.zapthedingbat.com/security/ex01/vuln1.htm

       Later investigations by members of the Information Security 
community have revelaed that Microsoft Outlook Express version 6 and 
Mozilla Firebird version 0.7 are also vulnerable to this attack.



    SecurityFocus:   http://www.securityfocus.com/archive/1/346948

    Credit: Zap The Dingbat (http://www.zapthedingbat.com)


More information about the list mailing list