Re: IE URL obfuscation

From: Scovetta, Michael V (Michael.Scovetta_at_CA.COM)
Date: 12/11/03

  • Next message: Russell Freeland: "Re: IE URL obfuscation: counterpoint" 
    Date:         Thu, 11 Dec 2003 17:49:59 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I'm using a simple proxy.pac/wpad.dat:

    function FindProxyForURL(url, host){
     if (url.indexOf("?@") != -1) {
       alert('Possible hack. Proceed with caution.');
     }
    }

    I'd rather MS patch the browser, but in the meantime, this works
    for me. You can just add the other URL strings, \0x01 and any others
    that come up. And it's a little easier than telling people to always
    check the SSL certificate or right-click/Properties to get the actual
    URL (which correctly shows the full URL, unlike the address bar).

    I can't wait to get directed to sites that put their names in the URLs:
    http://www.slashdot.org?@%56%69%61%67%72%61

    Also, you can use hex on the ?@, so:
    http://www.securityfocus.com%3f%40www.google.com?a=b

    Also, if you double-hex-encrypt '/', you can somewhat use directories:
    / = %2f
    %2F = @25 %32 %66
    http://www.securityfocus.com%25%32%66archive?@www.google.com
    returns a 404 the first time, but then the correct page the second, and
    sometimes correct pages, sometimes not after that. I don't know WHAT ie
    is doing with the URL, but I've got a funny feeling there are some more
    exploits in this category...

    Michael Scovetta 

    ----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Russell Freeland: "Re: IE URL obfuscation: counterpoint"

    Relevant Pages

    • Re: Microsoft Security Bulletin MS03-049 - Installation problems?
      ... The download link for Windows XP on MS03-049 actually goes to the patch from MS03-043. ... Russ - NTBugtraq Editor ... code "NT1003" when registering to take the TICSA exam at www.2test.com. ...
      (NT-Bugtraq)
    • Re: Microsoft Security Bulletin MS03-049 - Installation problems?
      ... I am applying patches using SUS Feature Pack for SMS. ... choose to install the patch, it will install, but the next day it will be ... code "NT1003" when registering to take the TICSA exam at www.2test.com. ...
      (NT-Bugtraq)
    • Re: IE URL obfuscation
      ... No doubt many will receive nice holiday greetings soon enough since ... the so-called "patch" manufacturer has closed down until 2004. ... NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. ...
      (NT-Bugtraq)