[NT] Phishing Using IE7 Local Resource Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Phishing Using IE7 Local Resource Vulnerability
------------------------------------------------------------------------


SUMMARY

Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its
local resources. In combination with a design flaw in this specific local
resource it is possible for an attacker to easily conduct phishing attacks
against IE7 users.

DETAILS

Vulnerable Systems:
* Windows Vista - Internet Explorer 7.0
* Windows XP - Internet Explorer 7.0

The navcancl.htm local resource is used by the browser when for some
reason a navigation to a specific page is canceled. When a navigation is
canceled the URL of the specific page is provided to the navcancl.htm
local resource after the # sign. For example:
res://ieframe.dll/navcancl.htm#http://www.site.com. The navcancl.htm page
then generates a script in the Refresh the page. link in order to reload
the provided site again when the user clicks on this link. It is possible
to inject a script in the provided link which will be executed when the
user clicks on the Refresh the page. link. Luckily, Internet Explorer now
runs most of its local resources (including navcancl.htm) in Internet Zone
, so this vulnerability cannot be exploited to conduct a remote code
execution.

Unfortunately, there is also a design flaw in IE7. The browser
automatically removes the URL path of the local resource and leaves only
the provided URL. For example: when the user visits
res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show
http://www.site.com in the address bar.

To perform a phishing attack, an attacker can create a specially crafted
navcancl.htm local resource link with a script that will display a fake
content of a trusted site (e.g. bank, paypal, MySpace). When the victim
will open the link that was sent by the attacker, a Navigation Canceled
page will be displayed. The victim will think that there was an error in
the site or some kind of a network error and will try to refresh the page.
Once he will click on the Refresh the page. link, The attacker s provided
content (e.g. fake login page) will be displayed and the victim will think
that he s within the trusted site, because the address bar shows the
trusted site s URL.

Proof-of-Concept:
A CNN.com article spoofing proof-of-concept can be found
<http://aviv.raffon.net/ct.ashx?id=d8214cdd-efdd-4d27-8393-e31f1302b090&url=http%3a%2f%2fwww.raffon.net%2fresearch%2fms%2fie%2fnavcancl%2fcnn.html> here.


ADDITIONAL INFORMATION

The information has been provided by <mailto:avivra@xxxxxxxxx> Aviv Raff.
The original article can be found at:
<http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx> http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages