SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer SSL Icon Error May Let Remote Users Impersonate Secure Web Sites
SecurityTracker Alert ID:  1010009
SecurityTracker URL:  http://securitytracker.com/id/1010009
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 30 2004
Impact:   Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 6.0.2800
Description:   A vulnerability was reported in Microsoft Internet Explorer. A remote user can employ another site's certificate to cause the target user's browser to appear to be connected to the other site.

Emmanouel Kellinis reported that a remote user can invoke a combination of a META Refresh operation and an OnUnload BODY tag to partially impersonate a secure web site.

A remote user can create HTML that will perform a zero second refresh to the target secure web site. The HTML will also include a BODY onUnload operation using the window.location method:

< BODY onUnload='window.location=""' >

This will reportedly cause the browser to ask the target user if the certificate for the target secure web site should be trusted and then, if the target user responds to the affirmative, display the content of the security site. The URL will display the correct URL (of the malicious web site), however, the content will be that of the target web site and the SSL lock will be displayed in the target user's browser, the report said.

According to the report, if the target user clicks on the SSL lock icon, the browser will indicate that the page's certificate is not valid.

A demonstration exploit page is provided in the Source Message.

Impact:   A remote user can create a malicious web site that, when loaded by the target user, may appear to be another secure web site [however, the URL will still be accurate]. A remote user can exploit this flaw to attempt "phishing" scams.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  IE Certificate Stealing (Phising) bug


#########################################
Application:    Internet Explorer 
Vendors:        http://www.microsoft.com
Version:         6.0.2800
Platforms:       Windows
Bug:             Certificate Stealing (Phising)
Risk:            Medium 
Exploitation:    Remote with browser
Date:            30 Apr 2004
Author:          Emmanouel Kellinis
e-mail:          me@cipher(dot)org(dot)uk
web:             http://www.cipher.org.uk
List :           BugTraq(SecurityFocus)
#########################################


=======
Product
=======
A popular Web browser, created by Microsoft, 
used to view pages on the World Wide Web.

===
Bug
===

In Internet Explorer enables someone to use an 
ssl certificate in a website which belongs to 
someone else.A combination Refresh and OnUnload 
on BODY tag. This bug can be used in 
Phising scams.



Lets say that we want to use  example.com 
certificate.


We point with REFRESH Meta Tag that website.

< meta http-equiv="REFRESH" 
  content="0;url=https://www.example.com/" 
>

Then inside our BODY tag we use onUnload to inform 
the webbrowser what to do when it will unload that 
webpage (using the window.location method).

< BODY onUnload='window.location=""' >

The result of that will be,
the browser will inform us if we want to use the 
certificate of example.com (If we trust that party 
we will say yes)Then the contents of the protected 
webpage will be downloaded to our website using our 
domain name .

We have something like that on the URL field of IE.
Address : http://www.ourdomainname/FakeSSL.html
then we have the contents of the index page of example.com 
in the browsing area and the SSL lock (right corner).

*Remember that we are in the fake website all that time.


If inside the index page links and forms use virtual 
pointers to directories or files
(e.g. images/ or form/submit.php) we can use the trust 
of the visitor and steal information. 
(e.g. via submit forms).

NOTE: the lock in the right corner doesnt work, if you 
click it says "this type of document does not have security 
certificate" which mean that this lock shouldnt be there , 
in case that a visitor will check the certificate only in 
the the popup window at the begining of the session and after 
loading the webpage will not check the validity using the right 
corner lock, then we fake the certificate.

=====================
Proof Of Concept Code
=====================

< html>
< head>
< title>Your Page Title</title>
< meta http-equiv="REFRESH" 
  content="0;url=https://www.example.com/">

< META HTTP-EQUIV="Content-Type" CONTENT="text/html;"> 

< /HEAD>
< BODY onUnload='window.location=""'>

< /BODY>
< /HTML>

====
FIX
====
Do not use virtual directories , instead use the real path or url
Refresh access to the root directory



=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC