Internet Exploiter

UO!InternetExploiter!HTML

  03 February 2004

Description

Exploits the fact that Microsoft Internet Explorer had a problem (fixed in this patch) where a cleverly constructed URL could appear to go to one site and actually take you to another.

Submitted by .

Example

<a href=http://www.microsoft.com =01 %01 %00@66.235.193.39/~cnnurgen/microsoft/downloads/details.html> www.microsoft.com/downloads/</a>

Notes:

1. This looks like: www.microsoft.com/downloads

2. Notice the use of =01 quoted-printable encoding to insert a non-printable ASCII character SOH (01) inside the URL.

3. Notice the use of % encoding to also insert the non-printable ASCII characters 01 and 00 (the latter being a standard string termination in C designed to fool filters that 'printf' the URL).

4. Notice the use of a URL username/password combination (cf Enigma/Bogus Login tricks).

5. This appears to take the user to www.microsoft.com/downloads, but actually goes to the site at 66.235.193.39.

6. In Microsoft Internet Explorer both the text highlighted in the URL and the URL shown in the status bar indicate that the URL as on microsoft.com.

7. Mozilla Firebird is also fooled by this trick, it terminates the URL at the SOH character.

Another variant has appeared in phishing emails. The pipe character | can be used in a URL. Under Internet Explorer the URL will not be displayed past the pipe. This can be used to make a subdomain look like a top-level domain. In the following example, borrowed from Netcraft

http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/

the link will appear as barclays.co.uk in Internet Explorer, but in fact goes to dvdlinKs.at.


Poll

Do you use the same password(s) across multiple websites?
I use the same password for all sites
I have a number of passwords but use the same for some sites
I use a different password for each site
I don't sign up to any sites that require a password

Leave a comment
View 4 comments

Jobs Recruit Sidebar

VB2010

VB2010 VB2010 will take place 29 September-1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada. Early bird discount available until 15th June 2010.
Virus Bulletin currently has 190,699 registered users.