Re: COELACANTH: Phreak Phishing Expedition]

From: Thor Larholm (thor_at_PIVX.COM)
Date: 06/11/04

  • Next message: Drew Copley: "Re: COELACANTH: Phreak Phishing Expedition]"
    Date:         Thu, 10 Jun 2004 18:10:06 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    You can't replicate this with most other servers because the Host header
    is set to a non-existant site on most servers.

    Whenever IIS or Apache receives a request it will first locate the
    proper site based on the IP adress being used, after which it will
    lookup based on the Host header. In the case of e-gold, they have simply
    not specified a Host header for the IIS website that they configured.
    You can send a HTTP request to e-gold.com with "Host: foobar" and their
    site still comes up, even though you should only get their site with a
    header such as "Host: e-gold.com" or "Host: www.e-gold.com".

    HTTP 1.1 requires the use of a Host header and it is bad practice to
    accept HTTP requests without a Host header that corresponds to a locally
    configured site. In most cases with IIS, this only happens if you are
    using the Default Website or explicitly has choosen to not specify a
    Host header for the site. You can specify multiple Host headers for a
    site so there is not much excuse not to do so.

    Whenever IE wants to send an HTTP request it first needs to determine
    what server to connect to. Because of the URL escaping IE disregards
    anything before the slash and equal sign, and sees that it has to send
    an HTTP request to www.e-gold.com. It is only after IE has determined
    what server to request information from that it URL decodes the URI and
    ends up with http://www.microsoft.com/redir=www.e-gold.com, which it
    then displays in the Address Bar and subsequently uses to determine what
    security zone it should use to render the HTML. IE only decides what
    security zone to use based on the Address Bar value after it has
    successfully downloaded all of the HTML (untill then it is in the
    Unknown Zone), at which point the URL decoding has long since happened.

    If you want to exploit this to serve content from your site in the
    security zone of another site, you will need to disregard the Host
    header being sent by the client. A perfect candidate you can use to gain
    additional privileges is WindowsUpdate.microsoft.com or
    oca.microsoft.com who are both in the Trusted Sites security zone on a
    default installation of Windows Server 2003 and Windows XP SP2.

    You should be able to use this to compromise Windows XP SP2 through
    Internet Explorer despite the My Computer zone hardening since the
    Trusted Sites Zone has all of the privileges you need to plant and
    execute a file.

    Regards

    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    24 Corporate Plaza #180
    Newport Beach, CA 92660
    http://www.pivx.com
    thor@pivx.com
    Stock symbol: (PIVX)
    Phone: +1 (949) 231-8496
    PGP: 0x5A276569
    6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

    PivX defines a new genre in Desktop Security: Proactive Threat
    Mitigation.
    <http://www.pivx.com/qwikfix>

    -----Original Message-----
    From: Drew Copley [mailto:dcopley@eEye.com]
    Sent: Thursday, June 10, 2004 4:40 PM
    To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com
    Subject: RE: [Fwd: [Full-Disclosure] COELACANTH: Phreak Phishing
    Expedition]

    > Subject: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition
    > From: "http-equiv@excite.com" <1@malware.com>
    > Date: Thu, June 10, 2004 12:35 pm
    > To: full-disclosure@lists.netsys.com
    > --------------------------------------------------------------
    > ------------
    >
    >
    >
    > Thursday, June 10, 2004
    >
    > The following was presented by 'bitlance winter' of Japan today:
    >
    > test
    >
    > Quite inexplicable from these quarters. Perhaps someone with server
    > 'knowledge' can examine it.
    >
    > It carries over the address into the address bar:
    >
    > [screen shot: http://www.malware.com/gosh.png 72KB]
    >
    > while redirecting to egold. The key being %2F without that it fails.
    > The big question is where is the 'redir' and why is it only applicable

    > [so far] to e-gold. Other sites don't work and e- gold is running an
    > old Microsoft-IIS/4.0.

    IE makes this into a connection with e-gold.com like so:

    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint,
    application/msword, application/x-shockwave-flash, */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
    1.1.4322; .NET CLR 1.0.3705)
    Host: www.microsoft.com/ redir=www.e-gold.com
    Connection: Keep-Alive

    It never touches microsoft.com.

    What is interesting, though, is IE spoofs the zone. If you change
    www.microsoft.com in there to a site in your trusted zone, you will see
    e-gold read as your trusted zone.

    So, you should be able to bounce from any trusted zone and theoritically
    from local zone -- and with adodb still being open, you should be able
    to run code because of the open adodb issue.

    IE doesn't talk to e-gold first. It connects to it. It sends the GET
    request, it receives the first page.

    But, can't replicate with other servers. It requires some more research.

    >
    > Working Example:
    >
    > http://www.malware.com/golly.html
    >
    >
    > credit: 'bitlance winter'
    >
    >
    > End Call
    >
    > --
    > http://www.malware.com
    >
    >
    >
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Drew Copley: "Re: COELACANTH: Phreak Phishing Expedition]"