[NT] Internet Explorer URL Decoding Zone Spoofing Technical Details (MS05-014)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/13/05

  • Next message: SecuriTeam: "[NT] Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005)" 
    To: list@securiteam.com
Date: 13 Feb 2005 11:09:51 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Internet Explorer URL Decoding Zone Spoofing Technical Details (MS05-014)
    ------------------------------------------------------------------------

    SUMMARY

    The method used for Windows security zone evaluation fails when characters
    in the URL are encoded in a certain way. Internet Explorer can be tricked
    to think that a document belongs in "My Computer" zone when it actually
    resides on an Internet server. JavaScript in such document can be used to
    execute arbitrary code because documents in "My Computer" zone are
    normally trusted and given more privileges than documents on Internet.

    A malicious user can use this vulnerability to do any action on the victim
    system with the victim user's privileges - transfer files, run programs,
    etc. No further user interaction is required apart from viewing a web page
    created by the attacker. In the e-mail attack scenario the victim user is
    usually required to click a link in the e-mail.

    DETAILS

    Somewhere in the process of evaluating the security zone for URLs,
    hex-decoding (the %xy notation) is done more than once for a single URL,
    ie. the decoded URL is decoded again. This causes some undesired effects
    if the URL contains certain special characters multiply encoded.

    Unlike some other operating systems, Windows allows the % sign in
    hostnames, so a URL containing such encoding works in Internet Explorer -
    given that the hostname resolves correctly to the attacker's IP address.
    The attacker can then host e.g. an HTML document on the server, which
    Internet Explorer misinterprets as belonging in "My Computer" zone.

    A proof-of-concept exploit was tested with Internet Explorer 6 on Windows
    2000 and Windows XP. The exploit successfully launches an
    attacker-supplied EXE program when the victim user visits a web page
    containing the exploit. A full list of vulnerable versions is included in
    Microsoft's bulletin.

    Vendor Status:
    Microsoft was informed of the problem on February 16th, 2004. A
    preliminary patch was first produced in September 2004 and Microsoft sent
    it to me for testing. However it turned out that the fix didn't correctly
    protect from a variation of the exploit, so the release was delayed.

    The final patch and Microsoft's bulletin is available at:
    <http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:jouko@iki.fi> Jouko
    Pynnonen.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005)"

    Relevant Pages