SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
(Additional Details About the Zone Bug) Re: Microsoft Internet Explorer (IE) Web Browser Has Multiple URL-related Flaws That May Allow for Remote Code Execution, Remote HTTP Request Generation, and Application of Incorrect Security Restrictions
SecurityTracker Alert ID:  1002531
SecurityTracker URL:  http://securitytracker.com/id/1002531
CVE Reference:   CAN-2001-0664, CAN-2001-0665, CAN-2001-0667   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Oct 11 2001
Impact:   Execution of arbitrary code via network, Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.01, 5.5, 6
Description:   Microsoft reported several vulnerabilities in their Internet Explorer (IE) web browser. Malformed web URLs that use the dotless IP format will use Intranet Zone security preferences rather than those for the more restrictive Internet Zone. Two others flaws involve URL processing.

One of the three vulnerabilities is a flaw in URL processing. If a malformed web URL is specified using a dotless IP format, IE will not interpret the URL as an Internet site and instead will apply the security preferences of the Intranet Zone. In default configurations, the Intranet Zone runs with fewer security restrictions. This particular vulnerability does not affect IE 6.

A user (and the discoverer of this vulnerability) has provided the following additional details about this bug.

The flaw involves URLs that include an HTTP basic authentication login option (of the form http://[username]@[hostname]). The flaw also involves IP addresses represented as a dotless IP address format, also known as a DWORD address.

An example conversion is provided for the address http://msdn.microsoft.com, which has an IP address of 207.46.239.122. As shown below, this IP address converts to a DWORD of http://3475959674.

Convert this IP address to a DWORD address:

207 * 16777216 = 3472883712
46 * 65536 = 3014656
239 * 256 = 61184
122 * 1 = 122
------------------------------------------------ +
= 3475959674

If the URL login option is combined with the DWORD IP address to yield http://[username]@3475959674, and if the '@' sign is changed to its ASCII equivalent (%40) (as in http://[username]%403475959674), the IE browser will interpret this page as residing in the local Intranet Zone.

For details on the other two vulnerabilities, see the orginal Alert (in the Message History).

Impact:   A remote web site referring to a web page using the dotless IP format could cause that page to be loaded and interpreted using the Intranet Zone security options, which are typically less stringent.

A remote web site can cause HTTP requests to be generated appearing to have originated from the IE user. Those requests could take action on behalf of the user.

A remote web site can invoke the Telnet client on the IE user's host with special options that cause an executable file to be placed on the user's host that will be executed when the host is rebooted.

Solution:   The vendor has issued patches, available at:

http://www.microsoft.com/windows/ie/downloads/critical/q306121/default.asp

Microsoft notes that the IE 5.01 patch can be installed on IE 5.01 Service Pack 2, the IE 5.5 patch can be installed on IE 5.5 Service Pack 2, and the IE 6 patch can be installed on IE 6 Gold.

Microsoft indicates that this fix will be included in future IE 5.01 Service Pack 3, IE 5.5 Service Pack 3, and IE 6 Service Pack 1.

For additional instructions and for directions on how to verify the patch application, see the Vendor URL.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-051.asp (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 11 2001 Microsoft Internet Explorer (IE) Web Browser Has Multiple URL-related Flaws That May Allow for Remote Code Execution, Remote HTTP Request Generation, and Application of Incorrect Security Restrictions



 Source Message Contents

Date:  Thu, 11 Oct 2001 02:37:48 -0700
Subject:  Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing


Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing

------
Risk: POTENTIALLY HIGH.
Potentially allowing any possible action on the client machine, including 
reading any file, placing Trojan code or altering data.
The risk depends on the security settings in the 'Intranet zone'.

---------
Scope:
Client browser. Microsoft Internet explorer 4.x 5.x. (IE 6 seems to be not 
vulnerable).
OS versions scope not known. This vulnerablility was discoved on windows 
2000 SP2 with the latest security and office updates.

----------------
Background:

Microsoft internet explorer security is dependant on different 'security 
zones'. These zones (Local Intranet zone and Internet zone) can have 
different security settings in regards to scripting and ActiveX execution. A 
lot of individuals and companies (including Microsoft) are depending on 
these zones to allow custom written activeX controls (unsigned and unsafe 
for scripting) to run on their internal intranet or network.
A flaw has been discovered in Internet Explorer that can bypass these zones 
and ‘fool’ the browser into believing an Internet site resides in the local 
intranet zone. This has as result that malicious website owners could 
potentially operate (and execute malicious code) in the users local intranet 
zone by luring surfers to their site with specially crafted URL’s.

In order for this Flaw to be dangerous, the user would have to have lower 
security settings in the intranet zone then in the Internet zone.

----------------------
Technical details:

Example:

An option in a basic authenticated site is to pass on a username (and/or 
password) in the URL like this:

http://mike@msdn.microsoft.com

Another possibility is to convert an IP address into a dotless IP address; 
such an address is also called a DWORD address (some proxy servers, routers 
or web servers do not allow this).

http://msdn.microsoft.com - IP: 207.46.239.122

Convert this IP address to a DWORD address:

207 * 16777216 		= 3472883712
46 * 65536  		= 3014656
239 * 256		= 61184
122 * 1			= 122
------------------------------------------------ +
			= 3475959674

This DWORD address can be used to visit the site like:

http://3475959674

If we combine the URL login option with the DWORD IP address we’ll get the 
following URL:

http://mike@3475959674

The browser still thinks we are in the internet zone as expected.

Now we change the @ sign to its ASCII equivalent (%40):


------------------------
http://mike%403475959674
------------------------


Using this link, the browser thinks the Internet site we are in is the local 
intranet zone!



------------------------
Disclosure details:

The flaw has been discovered by Michiel Kikkert from Kikkert Security and 
Microsoft was notified on the 26th of July.
Since then, Microsoft has been working hard to make core changes to Internet 
Explorer and to develop a patch to resolve this issue.

An official Microsoft patch that will fix this can be found at the following 
address:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-051.asp

(URL may wrap)


Kind Regards,
Michiel Kikkert – security@kikkert.nl
Kikkert Security.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC