|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: kikkert security (unhackables
hotmail.com)Date: Thu Oct 11 2001 - 04:37:48 CDT
Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing
------
Risk: POTENTIALLY HIGH.
Potentially allowing any possible action on the client machine, including
reading any file, placing Trojan code or altering data.
The risk depends on the security settings in the 'Intranet zone'.
---------
Scope:
Client browser. Microsoft Internet explorer 4.x 5.x. (IE 6 seems to be not
vulnerable).
OS versions scope not known. This vulnerablility was discoved on windows
2000 SP2 with the latest security and office updates.
----------------
Background:
Microsoft internet explorer security is dependant on different 'security
zones'. These zones (Local Intranet zone and Internet zone) can have
different security settings in regards to scripting and ActiveX execution. A
lot of individuals and companies (including Microsoft) are depending on
these zones to allow custom written activeX controls (unsigned and unsafe
for scripting) to run on their internal intranet or network.
A flaw has been discovered in Internet Explorer that can bypass these zones
and ‘fool’ the browser into believing an Internet site resides in the local
intranet zone. This has as result that malicious website owners could
potentially operate (and execute malicious code) in the users local intranet
zone by luring surfers to their site with specially crafted URL’s.
In order for this Flaw to be dangerous, the user would have to have lower
security settings in the intranet zone then in the Internet zone.
----------------------
Technical details:
Example:
An option in a basic authenticated site is to pass on a username (and/or
password) in the URL like this:
msdn.microsoft.com">http://mikemsdn.microsoft.com
Another possibility is to convert an IP address into a dotless IP address;
such an address is also called a DWORD address (some proxy servers, routers
or web servers do not allow this).
http://msdn.microsoft.com - IP: 207.46.239.122
Convert this IP address to a DWORD address:
207 * 16777216 = 3472883712
46 * 65536 = 3014656
239 * 256 = 61184
122 * 1 = 122
------------------------------------------------ +
= 3475959674
This DWORD address can be used to visit the site like:
If we combine the URL login option with the DWORD IP address we’ll get the
following URL:
3475959674">http://mike3475959674
The browser still thinks we are in the internet zone as expected.
Now we change the sign to its ASCII equivalent (%40):
------------------------
http://mike%403475959674
------------------------
Using this link, the browser thinks the Internet site we are in is the local
intranet zone!
------------------------
Disclosure details:
The flaw has been discovered by Michiel Kikkert from Kikkert Security and
Microsoft was notified on the 26th of July.
Since then, Microsoft has been working hard to make core changes to Internet
Explorer and to develop a patch to resolve this issue.
An official Microsoft patch that will fix this can be found at the following
address:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-051.asp
(URL may wrap)
Kind Regards,
Michiel Kikkert – securitykikkert.nl
Kikkert Security.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]