Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Additional Details About the Zone Bug) Re: Microsoft Internet Explorer (IE) Web Browser Has Multiple URL-related Flaws That May Allow for Remote Code Execution, Remote HTTP Request Generation, and Application of Incorrect Security Restrictions
|
|
SecurityTracker Alert ID: 1002531 |
|
SecurityTracker URL: http://securitytracker.com/id/1002531
|
|
CVE Reference:
CAN-2001-0664, CAN-2001-0665, CAN-2001-0667
(Links to External Site)
|
Updated: Dec 1 2003
|
Original Entry Date: Oct 11 2001
|
Impact:
Execution of arbitrary code via network, Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5.01, 5.5, 6
|
Description:
Microsoft reported several vulnerabilities in their Internet Explorer (IE) web browser. Malformed web URLs that use the dotless IP format will use Intranet Zone security preferences rather than those for the more restrictive Internet Zone. Two others flaws involve URL processing.
One of the three vulnerabilities is a flaw in URL processing. If a malformed web URL is specified using a dotless IP format, IE will not interpret the URL as an Internet site and instead will apply the security preferences of the Intranet Zone. In default configurations, the Intranet Zone runs with fewer security restrictions. This particular vulnerability does not affect IE 6.
A user (and the discoverer of this vulnerability) has provided the following additional details about this bug.
The flaw involves URLs that include an HTTP basic authentication login option (of the form http://[username]@[hostname]). The flaw also involves IP addresses represented as a dotless IP address format, also known as a DWORD address.
An example conversion is provided for the address http://msdn.microsoft.com, which has an IP address of 207.46.239.122. As shown below, this IP address converts to a DWORD of http://3475959674.
Convert this IP address to a DWORD address:
207 * 16777216 = 3472883712
46 * 65536 = 3014656
239 * 256 = 61184
122 * 1 = 122
------------------------------------------------ +
= 3475959674
If the URL login option is combined with the DWORD IP address to yield http://[username]@3475959674, and if the '@' sign is changed to its ASCII equivalent (%40) (as in http://[username]%403475959674), the IE browser will interpret this page as residing in the local Intranet Zone.
For details on the other two vulnerabilities, see the orginal Alert (in the Message History).
|
Impact:
A remote web site referring to a web page using the dotless IP format could cause that page to be loaded and interpreted using the Intranet Zone security options, which are typically less stringent.
A remote web site can cause HTTP requests to be generated appearing to have originated from the IE user. Those requests could take action on behalf of the user.
A remote web site can invoke the Telnet client on the IE user's host with special options that cause an executable file to be placed on the user's host that will be executed when the host is rebooted.
|
Solution:
The vendor has issued patches, available at:
http://www.microsoft.com/windows/ie/downloads/critical/q306121/default.asp
Microsoft notes that the IE 5.01 patch can be installed on IE 5.01 Service Pack 2, the IE 5.5 patch can be installed on IE 5.5 Service Pack 2, and the IE 6 patch can be installed on IE 6 Gold.
Microsoft indicates that this fix will be included in future IE 5.01 Service Pack 3, IE 5.5 Service Pack 3, and IE 6 Service Pack 1.
For additional instructions and for directions on how to verify the patch application, see the Vendor URL.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS01-051.asp (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 11 Oct 2001 02:37:48 -0700
Subject: Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing
|
Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing
------
Risk: POTENTIALLY HIGH.
Potentially allowing any possible action on the client machine, including
reading any file, placing Trojan code or altering data.
The risk depends on the security settings in the 'Intranet zone'.
---------
Scope:
Client browser. Microsoft Internet explorer 4.x 5.x. (IE 6 seems to be not
vulnerable).
OS versions scope not known. This vulnerablility was discoved on windows
2000 SP2 with the latest security and office updates.
----------------
Background:
Microsoft internet explorer security is dependant on different 'security
zones'. These zones (Local Intranet zone and Internet zone) can have
different security settings in regards to scripting and ActiveX execution. A
lot of individuals and companies (including Microsoft) are depending on
these zones to allow custom written activeX controls (unsigned and unsafe
for scripting) to run on their internal intranet or network.
A flaw has been discovered in Internet Explorer that can bypass these zones
and ‘fool’ the browser into believing an Internet site resides in the local
intranet zone. This has as result that malicious website owners could
potentially operate (and execute malicious code) in the users local intranet
zone by luring surfers to their site with specially crafted URL’s.
In order for this Flaw to be dangerous, the user would have to have lower
security settings in the intranet zone then in the Internet zone.
----------------------
Technical details:
Example:
An option in a basic authenticated site is to pass on a username (and/or
password) in the URL like this:
http://mike@msdn.microsoft.com
Another possibility is to convert an IP address into a dotless IP address;
such an address is also called a DWORD address (some proxy servers, routers
or web servers do not allow this).
http://msdn.microsoft.com - IP: 207.46.239.122
Convert this IP address to a DWORD address:
207 * 16777216 = 3472883712
46 * 65536 = 3014656
239 * 256 = 61184
122 * 1 = 122
------------------------------------------------ +
= 3475959674
This DWORD address can be used to visit the site like:
http://3475959674
If we combine the URL login option with the DWORD IP address we’ll get the
following URL:
http://mike@3475959674
The browser still thinks we are in the internet zone as expected.
Now we change the @ sign to its ASCII equivalent (%40):
------------------------
http://mike%403475959674
------------------------
Using this link, the browser thinks the Internet site we are in is the local
intranet zone!
------------------------
Disclosure details:
The flaw has been discovered by Michiel Kikkert from Kikkert Security and
Microsoft was notified on the 26th of July.
Since then, Microsoft has been working hard to make core changes to Internet
Explorer and to develop a patch to resolve this issue.
An official Microsoft patch that will fix this can be found at the following
address:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-051.asp
(URL may wrap)
Kind Regards,
Michiel Kikkert – security@kikkert.nl
Kikkert Security.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
|
|
Go to the Top of This SecurityTracker Archive Page
|
