TERRORIST NETWORK Security Advisory

 

Date:               3 January 2003

Author:           Paul A. Watson

Title:               Microsoft Internet Explorer URL Obfuscation Vulnerability

Product:          Internet Explorer 6.0

 

Description: Internet Explorer (IE) contains a flaw in the way it displays URL’s in the address bar and status bar. The flaw allows an attacker to embed an HTML link to an arbitrary site in a web page or email message that appears to point to a trusted site. If the victim hovers their mouse over the malicious link the Internet Explorer status bar will display the URL of the trusted site.  If the victim clicks on the link they will be directed to the attacker's server, but the IE address bar will falsely indicate the location to be the trusted site. The only way to identify a malicious link is to examine the HTML source of the page providing the link. Attackers can use this flaw to trick victims into visiting malicious web servers, while believing they are browsing a trusted server.  This can result in victim disclosing sensitive information or downloading and installing malicious software.

 

Exploit: This exploit utilized the @ feature which allows a URL to contain information prior to the site link, which is excluded once the link is clicked, such as http://username@www.terrorist.net. If the attacker includes an encoded null 0x00 before the ‘@’ symbol, the status bar will display only the text prior to the ‘@’ symbol.  Furthermore, if the attacker includes a binary character of 0x01 before the encoded 0x00, the address bar will also display the text prior to the ‘@’ symbol after clicking the malicious link.

 

Proof of Concept Code: The website www.dc2600.com provides a list of current news articles from around the web.  Each URL is encoded as describe above, and appears to link to www.terrorist.net, although the real link points to the valid source of the news articles.

 

Status: As of 1/3/2004, there are currently no patches available to correct this problem.