I'd like to share with the Realsecure users the following support thread:
8/11/04 Subject: 1404592 - XPU 22.25 - Email_Outlook_URL_Spoof -
clarification
needed
I have attempted to verify this signature, but under MS Outlook 2000, MS
Outlook Express 5.0 & 6.0, and Kmail 1.5 the stated issue does not occur.
I tested with the following email (MS Outlook Express was only tested with
the first 3 links)
<html><body>
<a href
="
http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html
">bad
link 1</a>
<a href
="
http://drs.yahoo.com/example.com/NEWS/*http://slashdot.org/#http://drs.yahoo.com/www.example.com/NEWS
">bad
link 2</a>
<a href
="
http://drs.yahoo.com/www.example.com/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/mail.tju.edu/NEWS
">bad
link 3</a>
<a href="http://rd.yahoo.com/*http://nd1.2828.to";>bad link 4</a>
</body></html>
All of the mail clients displayed the url after the asterisk.
eg for MS Outlook 2000
(See attached file: status_bar.png)(See attached file: version.png)
Can you please provide either an example of a link that causes the issue,
or state which mail client is susceptible.
10/11/2004 - Response from ISS to the above:
Hello Oliver,
This vulnerability is for Outlook 2000. However, the signature should fire
only when the email containing the spoofed links gets analyzed by the
sensor. If you craft the email with the links and then click on them, the
sensor would not trigger this event.
As far as the URLs still showing what is after the *, I will do some
research as to they are still visible. Everything I've read on the subject
suggests that we shouldn't be able to see the "hidden" portion of the URL.
15/11/2004 - sent email to ISS
Can you please let me know what you have discovered from your testing.
16/11/2004 - reply from ISS
Hello Oliver,
I have continued testing this exploit, and currently cannot get it to hide
the url after the *. Although, it should be noted that during the various
ways that I have been crafting the emails, when I try to save the file my
McAfee Anti-Virus discovers it and will not let me save, due to that
exploit. I have to disable my AV in order to try to test this. I am trying
to find out if this has been fixed by Microsoft, but information on this
particular exploit seems to be scarce.
Thanks,
Charles Bennett
Technical Support Analyst
22/11/04 - email to iss
Can you please let me know what you have discovered from your testing.
24/11/04
Hello Oliver,
The Email_Outlook_URL_Spoof signature is still a valid signature. It will
fire when it detects a URL with an * in it. However, I have not been able
to reproduce the spoofing using my email programs. It is possible that this
was corrected with a hotfix at some point. The signature, however, still
functions normally.
If you would like a bit more info about this, here is a link:
http://lists.sans.org/pipermail/list/2003-December/045129.html
Thanks,
Charles Bennett
Technical Support Analyst
reply to ISS
I have repeated the test URLs with a completely unpatched Win2k, and the
full urls were still displayed, hence this is not related to any hotfixes.
The link you have provided talks about URL spoofing, but it does not
related to URL spoofing via the "*", which is what the signature is
concerned about.
I disagree that the signature is still valid. The signature is only valid
if there is in fact a URL spoofing scenario involving use of the "*". So
far it appears that we have no first hand proof that the vulnerability
actually exists, all we have is the email linked to from the help for the
signature -
http://archives.neohapsis.com/archives/bugtraq/2004-05/0094.html
Can you please provide at least one actual case in which this URL spoofing
scenario occurs. Otherwise can you please have the signature removed in the
the next XPU.
1/12/04 - reply from iss
Hello Oliver,
This signature fires when the sensor detects a URL with a "*" in it. I can
understand what you mean about it appearing to be an invalid signature due
to not being able to reproduce the vulnerability itself. This vulnerability
has been documented in the past, and in the interest of security, the
signature was created. As stated before, the signature looks for URLs with
an "*" only, and has no way of knowing if an email client is able to see
what is after the * or not. As such, the signature is technically still
valid. If this signature is firing and you only see false positives (an
example would be web traffic to yahoo.com or hotmail; they use * to
redirect sometimes), you can tune the policy on the sensor or turn the
signature off completely if you feel that the vulnerability poses not
threat to you.
Thanks,
Charles Bennett
Technical Support Analyst
1/12/04 - email to iss
Can you please provide the name and version of the email clients that are
discussed by the documentation you refer to.
3/12/04 - reply from iss
Hello Oliver,
You can see which email clients and on what platforms are vulnerable to
this at the following link:
http://www.securityfocus.com/bid/10324/info/
Thank you,
David Hannum
Technical Support Analyst
3/12/04 - reply to iss
This is starting to go in a loop.
I've already stated that I've tested several of the versions reported to be
vulnerable, and the support analyst I was dealing with also could not
reproduce the behaviour.
Reading the "discussion" tab of the link you sent, the wording ("It has
been reported", "It is said") suggests that the vulnerability has not been
confirmed, and the entry is in the securityfocus database is purely on the
say so of who ever made the claim.
If ISS has confirmed this vulnerability, can you please state which
products and versions were verified to have the vulnerability.
8/12/04 - reply from iss - the confession
Hello Oliver,
I have looked further into this issue and could not determine that ISS has
officially confirmed this vulnerability. This signature was implemented as
a security measure, in order to protect against a possible threat. Please
submit an Enhancement Request to our Product Management Team via the
following link if you would like for X-Force to remove the signature from
the next XPU:
https://www.iss.net/issEn/MYISS/enhancementRequest.jhtml
As there is nothing more that Technical Support can provide on this
incident, it will be set to closed.
Thank you,
Charles Bennett
Technical Support Analyst
I have subitted the request to have the signature removed.
Oliver
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
