Bugtraq mailing list archives

RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition

From: Jelmer <jkuperus () planet nl>
Date: Sat, 19 Jun 2004 04:31:09 +0200

As a addendum, perhaps, though I wouldn't doubt someone
might make some nice proof of concept code for this...


Don't mind if I do :)

The following demo will read out your logon name and your logon domain, or
at least it should :)

http://jelmer.homedns.org/test.htm

The url used is http://jelmer%2fwww.jelmer.homedns.org 

The problem is that ie looks at the part before the %2f to determine the
security zone etc but then loads the url in it's entirety, like this

http://jelmer - used to determine the zone
http://jelmer/www.jelmer.homedns.org - loaded

IE treats any url it sees without a period in it such as http://jelmer as
part of the Local Intranet Zone

From the intranet zone we can easily obtain the logon name because Automatic

logon thru NTLM is enabled by default in the intranet zone.


Code at http://jelmer.homedns.org/code.zip

I excluded the rather large jcifs jar, you can download it from
http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder

Current thread:

SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition http-equiv () excite com (Jun 11)
- <Possible follow-ups>
- RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition Drew Copley (Jun 12)
  - RE: [Full-Disclosure] RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition Jelmer (Jun 12)
  - RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition Nick FitzGerald (Jun 12)
  - RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition Jelmer (Jun 19)
- SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition http-equiv () excite com (Jun 13)