Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2088
HistoryOct 12, 2001 - 12:00 a.m.

Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing

2001-10-1200:00:00
vulners.com
16
JSON

Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing

Risk: POTENTIALLY HIGH.
Potentially allowing any possible action on the client machine, including
reading any file, placing Trojan code or altering data.
The risk depends on the security settings in the 'Intranet zone'.

Scope:
Client browser. Microsoft Internet explorer 4.x 5.x. (IE 6 seems to be not
vulnerable).
OS versions scope not known. This vulnerablility was discoved on windows
2000 SP2 with the latest security and office updates.

Background:

Microsoft internet explorer security is dependant on different 'security
zones'. These zones (Local Intranet zone and Internet zone) can have
different security settings in regards to scripting and ActiveX execution. A
lot of individuals and companies (including Microsoft) are depending on
these zones to allow custom written activeX controls (unsigned and unsafe
for scripting) to run on their internal intranet or network.
A flaw has been discovered in Internet Explorer that can bypass these zones
and ‘fool’ the browser into believing an Internet site resides in the local
intranet zone. This has as result that malicious website owners could
potentially operate (and execute malicious code) in the users local intranet
zone by luring surfers to their site with specially crafted URL’s.

In order for this Flaw to be dangerous, the user would have to have lower
security settings in the intranet zone then in the Internet zone.

Technical details:

Example:

An option in a basic authenticated site is to pass on a username (and/or
password) in the URL like this:

http://[email protected]

Another possibility is to convert an IP address into a dotless IP address;
such an address is also called a DWORD address (some proxy servers, routers
or web servers do not allow this).

http://msdn.microsoft.com - IP: 207.46.239.122

Convert this IP address to a DWORD address:

207 * 16777216 = 3472883712
46 * 65536 = 3014656
239 * 256 = 61184
122 * 1 = 122
------------------------------------------------ +
= 3475959674

This DWORD address can be used to visit the site like:

http://3475959674

If we combine the URL login option with the DWORD IP address we’ll get the
following URL:

http://mike@3475959674

The browser still thinks we are in the internet zone as expected.

Now we change the @ sign to its ASCII equivalent (%40):

http://mike%403475959674

Using this link, the browser thinks the Internet site we are in is the local
intranet zone!

Disclosure details:

The flaw has been discovered by Michiel Kikkert from Kikkert Security and
Microsoft was notified on the 26th of July.
Since then, Microsoft has been working hard to make core changes to Internet
Explorer and to develop a patch to resolve this issue.

An official Microsoft patch that will fix this can be found at the following
address:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-051.asp

(URL may wrap)

Kind Regards,
Michiel Kikkert – [email protected]
Kikkert Security.

Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

JSON