[Full-Disclosure] IE 0x01 Byte URL Spoofing Vulnerability[Scriptless PoC Exploit & Additional Details]
Date: Fri Dec 12 2003 - 15:30:02 CST
__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
Hello all,
There is a big misconception about the recent 0x01 URL Spoofing vuln. in several peoples' mind that scripting is necessary for exploitation. However, this is not the case. Instead of using the %01 sequence and unescaping it[1] like in all the exploits posted till now, an hex editor can be used to directly embed the 0x01 byte in the URL. I have attached a proof of concept exploit to demonstrate this issue.
[1] unescape('http://www.a.com%01@b.com/spoof.htm');
Although, the actual vulnerability is very simple, there has been a lot of confusion with people misunderstanding its nature, scope and exploitation inspite of the presence of a number of proof of concept exploits. Apart from this, many other ideas and exploits have been presented by several people for both mitigation and better exploitation. A few facts about this vulnerability are presented below. I hope this clears some of the confusion.
1. This is only possible with the 0x01 byte.
2. SCRIPTING is NOT NECESSARY to exploit this vulnerability. A hex editor can be used to embed the 0x01 byte. See the attached exploit.
3. This is not the same as the infamous "http://a@b URL Obfuscation" technique that is mostly used by spammers.
4. If the %01 sequence is used, it is necessary to unescape() it.
5. IMO, this issue is not caused by an anomaly in IE's handling of non-printable characters.
6. According to current information in the public domain, no other browser except IE and dependant SW like Outlook is vulnerable to this issue. So this is a Microsoft specific issue.
7. Other techniques like adding a null byte, using onmouseover or onclick, using %09, etc are used to obfuscate the malicious link in the status bar when the mouse is hovered over the link. These are not part of the 0x01 URL Spoofing vulnerability and completely unrelated.
8. It is not necessary to tie the malicious URL to a button.
9. This vulnerability is really critical. Reasons have been discussed in great detail on the lists. Think about the ease of exploitation, no scripting required, etc...
Regards,
-- S.G.Masood Hyderabad, India.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/x-zip-compressed attachment: PoC.zip
This archive was generated by hypermail 2.1.8 : Fri Dec 12 2003 - 16:01:06 CST
