[Dshield] MSFT Internet Explorer, %01 URL spoofing
Erik van Straten
emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Sun Dec 14 02:40:58 GMT 2003
On Sat, 13 Dec 2003 17:11:27 -0500 Eric Tillery wrote:
> One thing that is often overlooked is the ability to right-click
> on the page and look at the properties. Doing this, the page is
> clearly a fake:
Eric, I found a couple of other tricks, then saw your post and was
excited. However, your tip (and some of mine, below) do **NOT** work
with the "%001" URL in http://johannes.homepc.org/ievuln.html (tested
with latest IE6SP1 on XP and NT4) so it should not be recommended.
Boy, this is tricky...
Has Johannes disclosed another vulnerability?
Johannes, what I dislike about your demo are the images from Verisign
and Comodo (blame on the companies, not you :).
SSL protects connections. A Verisign certificate does not make a site
secure. Last week one of my boxes was bashed on port 8025/TCP every
half hour -for a couple of days- by a Thawte-SSL webshop in Canada.
Perhaps it was misconfigured, maybe it was compromised (of course I
informed their ISP, and as it kept bashing, I ran netcat plus tcpdump
to confirm that the source-IP was not spoofed).
SSL and authenticity are more interrelated, but only if the site's
private key has never left their box; AND you can trust DNS, the
route between their box and your PC, and all software, configfiles
(like hosts) and all certificates on your PC. As we all know, lots of
home PC's are currently compromised. This may be more damaging than
the %01 issue.
Also, people tend to confuse authenticity with trustworthyness. If
I'm drunk, I am still me, but you shouldn't trust everything I say.
Similarly, the remote site can be cracked. Also the owner (or one of
the company's current, or former, employees) could be malicious.
Using %01 the webshop mentioned above could be Fakebank.com.
On Sat, 13 Dec 2003 14:42:44 -0500 Johannes Ullrich wrote:
> I am not exactly sure what to tell people that would like to
> protect themselves.
Tell users to distrust emails that ask them to do anything related to
installing software, updating passwords, or financial transactions.
If an email looks legitimate and seems important, have them try to
contact the sender, preferably by phone, to verify its authenticity.
They should NOT use any phonenumbers mentioned in the email. If that
is impossible, they can visit the homepage of the particular site by
clicking it in their own list of favorites (or by manually entering
the URL they are familiar with), and look for clues regarding the
request, and follow applicable URL's from there - if any.
Without any other means of verification, people should NEVER fully
trust emails. They're too easy to spoof and are not suitable for the
People should learn to recognize malicious sites (and avoid them).
Usually that's not hard at all (extra windows popping up, too many
things blinking etc). They should be alarmed by other specific
behavior. For example, if the mouse is over a link but the statusbar
does not show the URL, then the site has something to hide. The same
applies if you don't get the familiar context-menu when you press the
right mouse-button. Also, pages with buttons probably have things to
hide. Not many people step into a train without knowing where it
goes. Why would you press a button without knowing what it does or
where it takes you? It doesn't have to read "nuke" to get you in
Keep your PC safe (you know the story). Don't do banking (or anything
else that could damage you) in Internet cafe's. If you must start a
session on any public computer, and it shows a logon screen, don't
just enter your personal data like that (to prevent someone from
trojaning you). Be creative: make sure it starts a new session. Don't
have "helpful" people look over your shoulder when you enter
sensitive data. Use a unique password per site.
Note: these apply to MSIE6 SP1, and probably most older IE versions.
IE is used by most people, and IIRC some banks won't even accept
(1) When you click a link in a web page, most webbrowsers will inform
the target site where you came from; that is, the full URL of the
previous page you visited will be handed over to the target site
during the connection phase. For example, when you click an URL to my
webserver in your Yahoo webmail, I will know that you have a Yahoo
webmail account, and that the URL was in an email in your inbox. Also
it is quite common to find Google keywords in webserver logs, so
webmasters will know what you (actually the IP-address you used) were
looking for. Shift-click, which conveniently opens the URL in a new
IE window, also sends the former URL.
To avoid this, simply rightclick the URL and choose "Copy Shortcut".
Then click in the URL-bar (this "selects" the current URL) and press
Ctrl-V ot overwrite (open a new window and paste if you don't want to
close the old one). If the URL was spoofed with %01 you will notice
the two hostnames separated by a vertical bar, which should ring
alarm bells. Pasting in Notepad works as well.
trick won't work (press Ctrl-Z to restore the old URL). It's like the
button; you don't know where it's taking you. Usually it's on the
same site, but this is not necessarily true. You could try to
complain with the site's webmaster, because this means you must have
(2) Add the current URL to your Favorites. Then simply reopen the
page from the Favorites menu. MSIE6 SP1 then shows the actual URL.
Note that a "favorite" remembers multiple URL's if (sub) frames are
Readers, please test the above tips in your favorite browser and let
the list know if they work or not.
Tips nr. 3 and 4 below, like Eric's suggestion, do *NOT* work for the
last "%001" URL in http://johannes.homepc.org/ievuln.html so they too
are not recommended. I'll mention them for completeness:
(3) Browse to any URL. When in doubt, go to menu "File" and click
"Print Preview" (or Print the page and waste part of a forest). The
bottom of the page reveals the actual URL. NOT RECOMMENDED.
(4) Under menu "File" choose "Save As" and save the current webpage
to a temp folder. Start Notepad (or another text-editor, not Word).
Use Explorer to open the temp folder, then drag the .htm file you
just saved over the editor and drop it. Check the line at the top
that says "<- saved from url=". NOT RECOMMENDED.
> Looking at the certificate will of course help. But thats not
> always so easy for a non-technical user.
I disagree. The string following "Issued to:" should match the
hostname part in the URL. We have to educate non-technical people
(including managers and governments) on PKI. As Bruce Schneier (and
others) pointed out we should not leave this to PKI vendors.
I wrote some suggestions for improvement of MSIE on FD, one archive
is here: http://seclists.org/lists/fulldisclosure/2003/Dec/0463.html
More information about the list