[vox-tech] New phishing vulnerability

[Rob Rogers]

There was a thread[1] about 2 months ago about email scams and making URLs
look innocent, mostly by putting the site you're trying to look like in as
a username in your URL i.e. http://www.ebay.com@hackedsite.com/scam.html

I thought today's Internet Explorer vulnerability might be of interest...
This came across bugraq-digest today.

The quick synopsis: add a 0x01 character (HTML %01) to a URL and MSIE will
not display anything after that character in the URL bar. Their exploit
link is
http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm which
shows as http://www.microsoft.com in IE. They tested on 6.0 with SP1 and
other patches...I've verified it on my wife's computer running IE 5.0


Subject: Internet Explorer URL parsing vulnerability
Date:    Tue, December 9, 2003 8:44 am
To:   	 bugtraq@securityfocus.com

Internet Explorer URL parsing vulnerability
Vendor Notified 09 December, 2003

# Vulnerability ##########
There is a flaw in the way that Internet Explorer displays URLs in the
address bar.

By opening a specially crafted URL an attacker can open a page that
appears to be
from a different domain from the current location.

# Exploit ##########
By opening a window using the http://user@domain nomenclature an attacker
can hide
the real location of the page by including a 0x01 character after the "@"
character.
Internet Explorer doesn't display the rest of the URL making the page
appear to be
at a different domain.

# POC ##########
http://www.zapthedingbat.com/security/ex01/vun1.htm

# Tested ##########
Internet Explorer
Version 6.0.2800.1106C0
Updates: SP1, Q810847, Q810351, Q822925, Q330994, Q828750, Q824145

# Credit ##########
Zap The Dingbat
http://www.zapthedingbat.com/



[1]
[vox-tech] one of the most pernicious spams i've ever seen.
http://lugod.org/mailinglists/archives/vox-tech/2003-09/msg00172.html