Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Internet Explorer URL Decoding Zone Spoofing Technical Details (MS0

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Internet Explorer URL Decoding Zone Spoofing Technical Details (MS05-014)
Date: 13 Feb 2005 11:09:51 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Internet Explorer URL Decoding Zone Spoofing Technical Details (MS05-014)
------------------------------------------------------------------------


SUMMARY

The method used for Windows security zone evaluation fails when characters 
in the URL are encoded in a certain way. Internet Explorer can be tricked 
to think that a document belongs in "My Computer" zone when it actually 
resides on an Internet server. JavaScript in such document can be used to 
execute arbitrary code because documents in "My Computer" zone are 
normally trusted and given more privileges than documents on Internet.

A malicious user can use this vulnerability to do any action on the victim 
system with the victim user's privileges - transfer files, run programs, 
etc. No further user interaction is required apart from viewing a web page 
created by the attacker. In the e-mail attack scenario the victim user is 
usually required to click a link in the e-mail.

DETAILS

Somewhere in the process of evaluating the security zone for URLs, 
hex-decoding (the %xy notation) is done more than once for a single URL, 
ie. the decoded URL is decoded again. This causes some undesired effects 
if the URL contains certain special characters multiply encoded.

Unlike some other operating systems, Windows allows the % sign in 
hostnames, so a URL containing such encoding works in Internet Explorer - 
given that the hostname resolves correctly to the attacker's IP address. 
The attacker can then host e.g. an HTML document on the server, which 
Internet Explorer misinterprets as belonging in "My Computer" zone.

A proof-of-concept exploit was tested with Internet Explorer 6 on Windows 
2000 and Windows XP. The exploit successfully launches an 
attacker-supplied EXE program when the victim user visits a web page 
containing the exploit. A full list of vulnerable versions is included in 
Microsoft's bulletin.

Vendor Status:
Microsoft was informed of the problem on February 16th, 2004. A 
preliminary patch was first produced in September 2004 and Microsoft sent 
it to me for testing. However it turned out that the fix didn't correctly 
protect from a variation of the exploit, so the release was delayed.

The final patch and Microsoft's bulletin is available at:  
<http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx> 
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx


ADDITIONAL INFORMATION

The information has been provided by  <mailto:jouko@iki.fi> Jouko 
Pynnonen.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Internet Explorer URL Decoding Zone Spoofing Technical Details (MS05-014), SecuriTeam <=
Previous by Date:  [NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-008), SecuriTeam
Next by Date:  [NT] Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005), SecuriTeam
Previous by Thread:  [NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-008), SecuriTeam
Next by Thread:  [NT] Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]