Full Disclosure mailing list archives

RE: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).

From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 20 Oct 2005 13:12:26 -0500

It didn't work for me..but once I turned off the pop-up blocker off it
did appear to work.

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of K-Gen Gen
Sent: Thursday, October 20, 2005 4:49 AM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing 
bug (by K-Gen).

New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).

Gr337s .. I (K-Gen) have found a new (I think..) URL spoofing 
bug in IE.

Affected : All MS-IE Browsers (Win XP SP2 as well).

This allows a malicious website to host a specially crafted A 
HREF tag that shows to the user as a link to one location, 
but actually redirects to another. This can be used in 
Phishing scams and other malicious attacks.

The basic idea here is to write a geniune <a href=""> </a>tag 
but include an onClick event handeler that will redirect 
(window.location="";) to another page. The next example won't work:

<a href="http://microsoft.com";
onClick="window.location='http://google.com';";>Microsoft</a>

Probably there is some protection in IE .. but not enough :)

If we try the next thing:

<a href="http://microsoft.com"; onClick="alert()">Microsoft</a>

An alert WILL pop-up before redirecting. The same thing will 
happen to the document.write(""); method, it will execute 
before redirection.

Hence, the next Proof of Concept:

<a href="http://microsoft.com";
onClick="document.write(unescape('%3cscript%3ewindow.location=
%27http://google.com%27%3c/script%3e&apos;))">Microsoft</a>

Put the code into an HTML page and see for yourself. In the 
status bar and in the properties the link appears as 
http://microsoft.com , but if you click on the link it will 
redirect you to http://google.com .

I used unescape becuse characters like < > and ' cause 
run-time errors...

This is not extremely critical as the old %01@ bug (That 
still works on my IE sp1 :lol:), becuase It does not obscure 
the real link in the Address bar, but i bet there will be a 
PoC for this one too, sooner or later...

Have a Nice Day.
K-Gen
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

RE: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Todd Towles (Oct 20)
- <Possible follow-ups>
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). sic, das CSIRT der Universitaet Dortmund (Oct 21)
- RE: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Billy Rios (Oct 22)