[pcductape] Re: URL Spoofing

  • From: "Victor Firestone" <vlfll@xxxxxxxxxxx>
  • To: <pcductape@xxxxxxxxxxxxx>
  • Date: Thu, 5 Feb 2004 00:02:31 +0200

Pam,

You almost got it 100% right - but spoofing also can be done with the tag
that shows up in the status bar. The only ways to 100% check is either type
it in by hand or check the source of the html page / email.

I checked out my knowledge on the web at -
http://www.secunia.com/advisories/10395/
And this is what they say

Description:
A vulnerability has been identified in Internet Explorer, which can be
exploited by malicious people to display a fake URL in the address and
status bars.

The vulnerability is caused due to an input validation error, which can be
exploited by including the "%01" and "%00" URL encoded representations after
the username and right before the "@" character in an URL.

Successful exploitation allows a malicious person to display an arbitrary
FQDN (Fully Qualified Domain Name) in the address and status bars, which is
different from the actual location of the page.

This can be exploited to trick users into divulging sensitive information or
download and execute malware on their systems, because they trust the faked
domain in the two bars.

Example displaying only "http://www.trusted_site.com"; in the two bars when
the real domain is "malicious_site.com":
http://www.trusted_site.com%01%00@xxxxxxxxxxxxxxxxxx/malicious.html

A test is available at:
http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

The vulnerability has been confirmed in version 6.0, and version 5.x is also
affected according to Microsoft's knowledge base article.

NOTE: This vulnerability is currently being exploited on the Internet via
scam emails! 




~~~~~~~~~~~~~~~~~~~
TTFN - Vic

To laugh often and much; to win the respect of intelligent people and
the affection of children; to earn the appreciation of honest critics
and endure the betrayal of false friends; to appreciate beauty,
to find the best in others; to leave the world a little better;
whether by a healthy child, a garden patch or a redeemed social condition;
to know even one life has breathed easier because you have lived.
~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: pcductape-bounce@xxxxxxxxxxxxx [mailto:pcductape-bounce@xxxxxxxxxxxxx]
On Behalf Of Pam
Sent: Wednesday, February 04, 2004 11:02 PM
To: pcductape@xxxxxxxxxxxxx
Subject: [pcductape] Re: URL Spoofing

Hi Vic,

We are talking about the same thing. You were talking about the (bad) intent
of the message writer.  I was basically explaining how the spoofing was
accomplished. =)

I'm pretty sure you already know how spoofing is accomplished.


For others, there are ways to verify that a link is going where it appears
to be going.

First, URL spoofing cannot be accomplished in plain text format emails, such
as this email is in.

In email you can hit Reply and then change the format to plain text which
will remove the underlying links.

On a web page you can touch a link and watch your status bar (the bar on the
bottom of your browser window) and most of the time it will show you where
the link is actually going.  If not, then you can view the source code for a
page and see where it is actually linked.  To view the source code in IE go
to View/Source.

If you are not familiar with what you are looking for in source code it will
look like something similar to this:

If it is a link from a graphic image like a button:

<a href="http://www.somesite.com/virus/abcdefg.exe"; target="_blank"><img
src="images/clickMePlease.jpg" alt="Click here for a surprise" width="57"
height="50" border="0"></a></td>

If it's a text link it may look something similar to this:

<a
href="http://www.badsite.com/givethemavirus.exe";>www.goodsite.com</a></td>

In both cases the true destination of the link is the part that immediately
follows the "a href=" and is enclosed in quotes

Hope that helps,

Pam

To unsubscribe from this list send an email to
pcductape-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR by logging into the Web interface. 

To view the message archives simply go to: 
http://www.freelists.org/archives/pcductape/

Other related posts: