[Dshield] MSFT Internet Explorer, %01 URL spoofing

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Sun Dec 14 02:40:58 GMT 2003

Hi list,

On Sat, 13 Dec 2003 17:11:27 -0500 Eric Tillery  wrote:
> One thing that is often overlooked is the ability to right-click
> on the page and look at the properties. Doing this, the page is
> clearly a fake:
> http://www.k6az.com/forums/fakebank_iex6.jpg

Eric, I found a couple of other tricks, then saw your post and was 
excited. However, your tip (and some of mine, below) do **NOT** work 
with the "%001" URL in http://johannes.homepc.org/ievuln.html (tested 
with latest IE6SP1 on XP and NT4) so it should not be recommended.
Boy, this is tricky...

Has Johannes disclosed another vulnerability?

Johannes, what I dislike about your demo are the images from Verisign 
and Comodo (blame on the companies, not you :).

SSL protects connections. A Verisign certificate does not make a site 
secure. Last week one of my boxes was bashed on port 8025/TCP every 
half hour -for a couple of days- by a Thawte-SSL webshop in Canada. 
Perhaps it was misconfigured, maybe it was compromised (of course I 
informed their ISP, and as it kept bashing, I ran netcat plus tcpdump 
to confirm that the source-IP was not spoofed).

SSL and authenticity are more interrelated, but only if the site's 
private key has never left their box; AND you can trust DNS, the 
route between their box and your PC, and all software, configfiles 
(like hosts) and all certificates on your PC. As we all know, lots of 
home PC's are currently compromised. This may be more damaging than 
the %01 issue.

Also, people tend to confuse authenticity with trustworthyness. If 
I'm drunk, I am still me, but you shouldn't trust everything I say. 
Similarly, the remote site can be cracked. Also the owner (or one of 
the company's current, or former, employees) could be malicious. 
Using %01 the webshop mentioned above could be Fakebank.com.

On Sat, 13 Dec 2003 14:42:44 -0500 Johannes Ullrich wrote:
> I am not exactly sure what to tell people that would like to
> protect themselves.


Tell users to distrust emails that ask them to do anything related to 
installing software, updating passwords, or financial transactions.

If an email looks legitimate and seems important, have them try to 
contact the sender, preferably by phone, to verify its authenticity. 
They should NOT use any phonenumbers mentioned in the email. If that 
is impossible, they can visit the homepage of the particular site by 
clicking it in their own list of favorites (or by manually entering 
the URL they are familiar with), and look for clues regarding the 
request, and follow applicable URL's from there - if any.

Without any other means of verification, people should NEVER fully 
trust emails. They're too easy to spoof and are not suitable for the 
requests mentioned.


People should learn to recognize malicious sites (and avoid them). 
Usually that's not hard at all (extra windows popping up, too many 
things blinking etc). They should be alarmed by other specific 
behavior. For example, if the mouse is over a link but the statusbar 
does not show the URL, then the site has something to hide. The same 
applies if you don't get the familiar context-menu when you press the 
right mouse-button. Also, pages with buttons probably have things to 
hide. Not many people step into a train without knowing where it 
goes. Why would you press a button without knowing what it does or 
where it takes you? It doesn't have to read "nuke" to get you in 


Keep your PC safe (you know the story). Don't do banking (or anything 
else that could damage you) in Internet cafe's. If you must start a 
session on any public computer, and it shows a logon screen, don't 
just enter your personal data like that (to prevent someone from 
trojaning you). Be creative: make sure it starts a new session. Don't 
have "helpful" people look over your shoulder when you enter 
sensitive data. Use a unique password per site.

Browsing tips:

Note: these apply to MSIE6 SP1, and probably most older IE versions. 
IE is used by most people, and IIRC some banks won't even accept 
anything else.

(1) When you click a link in a web page, most webbrowsers will inform 
the target site where you came from; that is, the full URL of the 
previous page you visited will be handed over to the target site 
during the connection phase. For example, when you click an URL to my 
webserver in your Yahoo webmail, I will know that you have a Yahoo 
webmail account, and that the URL was in an email in your inbox. Also 
it is quite common to find Google keywords in webserver logs, so 
webmasters will know what you (actually the IP-address you used) were 
looking for. Shift-click, which conveniently opens the URL in a new 
IE window, also sends the former URL.

To avoid this, simply rightclick the URL and choose "Copy Shortcut". 
Then click in the URL-bar (this "selects" the current URL) and press 
Ctrl-V ot overwrite (open a new window and paste if you don't want to 
close the old one). If the URL was spoofed with %01 you will notice 
the two hostnames separated by a vertical bar, which should ring 
alarm bells. Pasting in Notepad works as well.

Note: if you see something like: javascript:menu('234') then this 
trick won't work (press Ctrl-Z to restore the old URL). It's like the 
button; you don't know where it's taking you. Usually it's on the 
same site, but this is not necessarily true. You could try to 
complain with the site's webmaster, because this means you must have 
javascript enabled to visit the site.

(2) Add the current URL to your Favorites. Then simply reopen the
page from the Favorites menu. MSIE6 SP1 then shows the actual URL.
Note that a "favorite" remembers multiple URL's if (sub) frames are 
in use.

Readers, please test the above tips in your favorite browser and let 
the list know if they work or not.

Tips nr. 3 and 4 below, like Eric's suggestion, do *NOT* work for the 
last "%001" URL in http://johannes.homepc.org/ievuln.html so they too 
are not recommended. I'll mention them for completeness:

(3) Browse to any URL. When in doubt, go to menu "File" and click 
"Print Preview" (or Print the page and waste part of a forest). The 
bottom of the page reveals the actual URL. NOT RECOMMENDED.

(4) Under menu "File" choose "Save As" and save the current webpage 
to a temp folder. Start Notepad (or another text-editor, not Word). 
Use Explorer to open the temp folder, then drag the .htm file you 
just saved over the editor and drop it. Check the line at the top 
that says "<- saved from url=". NOT RECOMMENDED.

> Looking at the certificate will of course help. But thats not
> always so easy for a non-technical user.

I disagree. The string following "Issued to:" should match the 
hostname part in the URL. We have to educate non-technical people 
(including managers and governments) on PKI. As Bruce Schneier (and 
others) pointed out we should not leave this to PKI vendors.

I wrote some suggestions for improvement of MSIE on FD, one archive 
is here: http://seclists.org/lists/fulldisclosure/2003/Dec/0463.html


More information about the list mailing list