Re: IE URL obfuscation

From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: 12/12/03

  • Next message: Duane Maurer: "How IE handles URL's" 
    Date:         Fri, 12 Dec 2003 14:22:40 +1300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I replied to Russ:

    <<big snip>>
    > If we had to worry each time we pushed a couple of slices of bread into
    > our toasters that some slimeball on the other side of the planet would
    > have untrammelled access to our bank accounts for the duration of the
    > toasting process, I suspect we'd all just eat bread (or at least find
    > other ways to may toast!) and the "toaster industry" would _DESERVEDLY_
    > fail. Computing on the scale and with the breadth of reach and impact
    > that we have inflicted on the unwary, and those who are largely not
    > sophisticated enough to know what questions to ask, is certainly
    > _nowhere near_ the same level of consumer readiness as the domestic
    > bench-top toaster. The lie that it is, is largely the responsibility of
    > Bill and Co. I think they should start accepting the very real
    > responsibility they have, personally, professionally and commercially to
    > fix this. Working on, and releasing ASAP, yet another fix for IE would
    > show that they _MAY_ be beginning to understand their role in all this
    > and that they _MAY_ be starting -- just starting -- to get a clue what
    > "Trustworthy computing" might really be all about.

    I realized after posting this that a previous post of mine about the
    flaws in the URI RFC, from late last week or very early this, in
    response to a visa.com phishing scam was _not_ posted to this list.
    Despite that I had written my commentary on this with that earlier
    message in mind. If Russ does not mind posting this, I'll include the
    text of that earlier message (to the Full-Disclosure mailing list) here
    so NTBugtraq-ers can see some of the ideas behind what I just wrote,
    but did not directly reference therein.

    Hopefully this makes my comments in the message Russ just posted a
    little more intelligible and perhaps to appear less of a rant...

    -----------------------------------------------------------------------
      From: Nick FitzGerald
      Subject: Re: [Full-Disclosure] (no subject)
      Date: Fri, 05 Dec 2003 15:43:55 -0800

    "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:

    > Quite a nifty email scam:
    >
    > <a
    > href="http://www.visa.com
    > :Use
    > rSession=2f6q9uuu88312264trzzz55884495&usersoption=SecurityUpdate&Sta
    > [EMAIL PROTECTED]/verified_by_visa.html">http://www.visa
    > .com</a>
    >
    > Note the gap, shows only as visa.com in Outlook Express which takes
    > you to visa's site and a rather awkward popup window where the data
    > is supposed to be filled in.

    Indeed -- this is a classic exploit of a classic case of several
    _really, really BAD_ design decisions.

    First, some genius (or committee thereof) decided that putting
    "userinfo" data into URLs would be a good idea. This was decided
    despite it generally being agreed -- as the URL RFC authors note _in
    the RFC_ -- to be a bad thing from a security perspective...

    Second, and perhaps the largest part of the problem was that the
    specification for doing this was designed by people with _ABSOLUTELY
    ZERO_ clue about user interfaces, as is shown by their decision to put
    userinfo data in front of the target domain. Normally users will only
    see URLs without userinfo data, so from a UI perspective it was really
    bad design to have a "special case" (that would be rarely used and thus

    rarely seen by users) "disturb" the expectation of the user (in
    general, that is a recipe for problems). Worse is that the userinfo
    data field has, by its nature, to allow for completely arbitrary data
    (in terms of length and character set).

    Third, and increasingly inexcusable, is that no client s/w (that I am
    aware of) that deals with such URLs has _ANY_ kind of sanity checking
    or user warning that "something unexpected" may be about to happen. I
    would hazard that, because of the general agreement that specifying
    userinfo data in URLs is a really bad thing, historically "most" URLs
    that the have had a userinfo part have had such for nefarious uses.
    Thus, I'd suggest that it is time URL-handling routines stopped
    handling userinfo data, at least without prompting the user, or better
    still, by default be configured to not handle userinfo (which would
    make userinfo handling a candidate for zone-by-zone enabling in IE
    where, _at most_, it would only make sense to be enabled by default in
    the Trusted Sites zone).

    ----------------------------------------------------------------------- 

    --
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
-----
Out of Office replies to list messages cause you to be unsubscribed
automatically. Either subscribe a Public Folder, or ensure your rules are
set to ensure list messages are filtered prior to your Out of Office reply.
Such automatic replies are a bane to posters, and cause us to have fewer
researchers post to NTBugtraq.
-----
  • Next message: Duane Maurer: "How IE handles URL's"