RE: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!
From: David Bartholomew (dfbarth_at_akiva.com)
Date: 01/11/04
- Previous message: Paulo Pereira: "Re: [Full-Disclosure] Is the FBI using email Web bugs?"
- In reply to: Paul Szabo: "RE: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!"
- Next in thread: Tri Huynh: "Re: [Full-Disclosure] Re: Yahoo Instant Messenger Long Filename Downloading Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <full-disclosure@lists.netsys.com> Date: Sun, 11 Jan 2004 11:05:52 -0500
Curious. I wondered why I didn't see the little control character marker in
there when I pulled this page up like I did with the front page. It's
interesting, too, that someone should bother to put this sort of stuff in
the form action section - but as a test I went and filled out the initial
form with random info, just to see what the whole thing looked like.
Figured that maybe they were putting the text in place to 'fill' your status
bar so that you couldn't see the real stuff at the end of it. Seemed to be
what happened. It seems like so much work to bother with the 0x01 exploit at
the beginning of the whole thing, when you could have just as readily done
all this with javascript onmouseover events so that unless you looked at the
source, the button would have looked totally legit.
.dfbarth
***
David Bartholomew, MCSE, MCSA, MCP, Net+, A+
Technical Lead - Akiva, Inc.
***
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Paul Szabo
Sent: Sunday, January 11, 2004 12:37 AM
To: dfbarth@akiva.com; full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] 3 new MS patches next week... but none
fix 0x01!
> ... and I've got this question for the list:
>
> This really long 'form action' item
>
http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwvwaboundpyw
>
wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaoundpywwgc2l
> 6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@211.239.150.170/login/form.php
>
> obviously contains the 0x01 exploit. What I'm curious about is the HUGE
> amount of crap in between the : and the @ sign. I mean, if the 0x01
exploit
> is 'good enough', what's with the extra characters?
Hmmm... where in there do you see %01? No, that is no 0x01 exploit, but
just user:password@host quasi-RFC-compliant usage. The string is long so
as to leave the user staring at the citibank+gibberish part, not to be
made suspicious of the @IP part.
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Paulo Pereira: "Re: [Full-Disclosure] Is the FBI using email Web bugs?"
- In reply to: Paul Szabo: "RE: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!"
- Next in thread: Tri Huynh: "Re: [Full-Disclosure] Re: Yahoo Instant Messenger Long Filename Downloading Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
