RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition

From: Jelmer (jkuperus_at_planet.nl)
Date: 06/19/04

  • Next message: Jason Coombs: "Re: Is predictable spam filtering a vulnerability?"
    Date: Sat, 19 Jun 2004 04:31:09 +0200
    To: 'Drew Copley' <dcopley@eEye.com>, bugtraq@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com, full-disclosure@lists.netsys.com
    
    

    >As a addendum, perhaps, though I wouldn't doubt someone
    >might make some nice proof of concept code for this...

    Don't mind if I do :)

    The following demo will read out your logon name and your logon domain, or
    at least it should :)

    http://jelmer.homedns.org/test.htm

    The url used is http://jelmer%2fwww.jelmer.homedns.org

    The problem is that ie looks at the part before the %2f to determine the
    security zone etc but then loads the url in it's entirety, like this

    http://jelmer - used to determine the zone
    http://jelmer/www.jelmer.homedns.org - loaded

    IE treats any url it sees without a period in it such as http://jelmer as
    part of the Local Intranet Zone

    From the intranet zone we can easily obtain the logon name because Automatic
    logon thru NTLM is enabled by default in the intranet zone.

    Code at http://jelmer.homedns.org/code.zip

    I excluded the rather large jcifs jar, you can download it from
    http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder


  • Next message: Jason Coombs: "Re: Is predictable spam filtering a vulnerability?"

    Relevant Pages

    • Re: IIS 6.0 Keeps prompting for LoginID and Password
      ... add it to the Intranet Zone. ... > Logon Failure: ... > Caller User Name: IWAM_xxx ... also get to the website if I use the UNC instead of a IP ...
      (microsoft.public.inetserver.iis)
    • [Full-Disclosure] RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition
      ... >As a addendum, perhaps, though I wouldn't doubt someone ... Don't mind if I do:) ... The following demo will read out your logon name and your logon domain, ... From the intranet zone we can easily obtain the logon name because Automatic ...
      (Full-Disclosure)
    • RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition
      ... >As a addendum, perhaps, though I wouldn't doubt someone ... Don't mind if I do:) ... The following demo will read out your logon name and your logon domain, ... From the intranet zone we can easily obtain the logon name because Automatic ...
      (Full-Disclosure)
    • Re: Problem Opening a file using IE 6
      ... Did you try "Prompt for User Name and Password" for the ... Both of the "Automatic Logon" 's default to using the network ... is 'Automatic logon only in Intranet zone' ... Is the FTP site password-protected? ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: Problem Opening a file using IE 6
      ... 'User AUthentication' Setting ... is 'Automatic logon only in Intranet zone' ... >trying to access the site might be sending the Windows ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)