ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | New IE Vulnerability Allows Address Bar Spoofing
From: »secunia.com/advisories/19521/
Internet Explorer Window Loading Race Condition Address Bar Spoofing
Secunia Advisory: SA19521
Release Date: 2006-04-04
Last Update: 2006-04-05
Critical:
Moderately critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
Exploit code is out!
Description:
Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.
The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.
Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
»secunia.com/Internet_Explorer_Ad···ty_Test/
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. Other versions may also be affected.
Solution:
Disable Active Scripting support.
Provided and/or discovered by:
Hai Nam Luke
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| "You are vulnerable, if a new window is opened and content from Secunia is displayed while the address bar still says "http://www.google.com/".
You are not vulnerable to this particular exploit, if you do not experience the above behaviour."
IE6 SP2, latest Flash. The address bar said »www.google.com and displayed Google content. Hmmm? |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | Interesting, I have same and see problems already.
Phisher's are already ALL over this exploit!
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI | I'm not convinced that input boxes could load & a form submit action can happen with what I've seen from the exploit sample page. |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| said by SnowyOne  :I'm not convinced that input boxes could load & a form submit action can happen with what I've seen from the exploit sample page. What are you talking about, this exploit is based on a timer flaw, nothing to do with input boxes or form submit.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| reply to ZOverLord
I replicated my settings to a virtual machine, whose default security settings were vulnerable. It wasn't vulernable anymore. I didn't disable ActiveX... not that any ActiveX controls can install in a limited account anyway. I didn't disable Active Scripting. Going through the settings one by one, this solved it:
Disable "Navigate sub-frames across different domains" |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN | Lol, it amazes me that is Enabled by default, Like, Sure that's a good idea. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Off if on high setting 
»Microsoft Application Tips and Tweaks »Concerning Internet Options Security, what do some of the settings mean
»/r0/download/4···ions.gif
Cudni
--
Some are born to failure, others achieve it, all deserve it Help yourself so God can help you |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| reply to ZOverLord
With IE settings locked down (Security and Privacy set to High) nothing happens and the address remains: ht*tp://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/
IE6 - XP SP2
--
"Be simple, be earnest and spread that simplicity throughout everything you do." |
|
mysec
Premium
join:2005-11-29 | Confirm.
IE6 - Win2K
|
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | reply to Sparrow
said by Sparrow :With IE settings locked down (Security and Privacy set to High) nothing happens and the address remains: ht*tp://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/ IE6 - XP SP2 Did you click on the "Test Now - Left Click On This Link" under "Start The Test" on the page?
Test Page Link again here: »secunia.com/Internet_Explorer_Ad···ty_Test/
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
| reply to ZOverLord
said by ZOverLord :said by SnowyOne :I'm not convinced that input boxes could load & a form submit action can happen with what I've seen from the exploit sample page. What are you talking about, this exploit is based on a timer flaw, nothing to do with input boxes or form submit. That's correct. As far as a phish is concerned it is all about input boxes & form submits which I'm not convinced can happen with this exploit. |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| said by SnowyOne :said by ZOverLord :said by SnowyOne :I'm not convinced that input boxes could load & a form submit action can happen with what I've seen from the exploit sample page. What are you talking about, this exploit is based on a timer flaw, nothing to do with input boxes or form submit. That's correct. As far as a phish is concerned it is all about input boxes & form submits which I'm not convinced can happen with this exploit. Not in this case, the expolit works this way:
function openWin(url)
{
window.open(url, 'window');
}
function StartTest()
{
openWin('»www.google.com/');
setTimeout("openWin('/19521_swf/?" + Math.random() + "');", 300);
setTimeout("openWin('/19521_swf_result/');", 2500);
}
It exploits a very short timeout, not using any input box or form submit.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| I'ts very clear that the 'exploit' does not use any input/submit actions. To put it another way, do you believe a phish could load a fake page with a CC# input box, have that box filled out & then submitted elsewhere all the while the page is loading? |
|
mysec
Premium
join:2005-11-29
| reply to ZOverLord
said by ZOverLord :Did you click on the "Test Now - Left Click On This Link" under "Start The Test" on the page? I did. On Medium Security Setting, the exploit works. On High Setting, it does not work.
IE6, Win2K SP4
|
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | reply to SnowyOne
said by SnowyOne :I'ts very clear that the 'exploit' does not use any input/submit actions. To put it another way, do you believe a phish could load a fake page with a CC# input box, have that box filled out & then submitted elsewhere all the while the page is loading? Sure, but then you would see a page re-load and wonder whats going on, why not display for example the logon page right away, you would never know how long someone took to fill field information before you timed out, so it would be best to display the bogus page ASAP, which is what people are doing.
Actually, even this PoC is using a LONG delay so you can see the original Google page to get a better visual idea of what's going on. The real exploits of this are not so kind.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI | Getting someone to land on the fake page is the phish challenge so if you mean that a phish run this exploit from it's fake page then the phish doesn't really need to utilize this exploit. I just can't seem see how it's helping a phish. |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| reply to ZOverLord
said by ZOverLord :said by Sparrow :With IE settings locked down (Security and Privacy set to High) nothing happens and the address remains: ht*tp://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/ IE6 - XP SP2 Did you click on the "Test Now - Left Click On This Link" under "Start The Test" on the page? Test Page Link again here: » secunia.com/Internet_Explorer_Ad···ty_Test/ It's the same link, Z. I added the asterisk to show the page in the address bar after clicking the test link. Still showing "secunia.com" and no sign of Google.
--
"Be simple, be earnest and spread that simplicity throughout everything you do." |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN | Interesting, and you never see Google even flash in the browser window itself? |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| said by ZOverLord :Interesting, and you never see Google even flash in the browser window itself? Nothing. The page remains the same.
--
"Be simple, be earnest and spread that simplicity throughout everything you do." |
|
