Date: Fri, 30 Apr 2004 16:08:30 +0100
From: "E.Kellinis" <[email protected]>
To: [email protected]Subject: IE Certificate Stealing (Phising) bug
#########################################
Application: Internet Explorer
Vendors: http://www.microsoft.com
Version: 6.0.2800
Platforms: Windows
Bug: Certificate Stealing (Phising)
Risk: Medium
Exploitation: Remote with browser
Date: 30 Apr 2004
Author: Emmanouel Kellinis
e-mail: me@cipher(dot)org(dot)uk
web: http://www.cipher.org.uk
List : BugTraq(SecurityFocus)
#########################################
=======
Product
=======
A popular Web browser, created by Microsoft,
used to view pages on the World Wide Web.
===
Bug
===
In Internet Explorer enables someone to use an
ssl certificate in a website which belongs to
someone else.A combination Refresh and OnUnload
on BODY tag. This bug can be used in
Phising scams.
Lets say that we want to use example.com
certificate.
We point with REFRESH Meta Tag that website.
< meta http-equiv="REFRESH"
content="0;url=https://www.example.com/"
>
Then inside our BODY tag we use onUnload to inform
the webbrowser what to do when it will unload that
webpage (using the window.location method).
< BODY onUnload='window.location=""' >
The result of that will be,
the browser will inform us if we want to use the
certificate of example.com (If we trust that party
we will say yes)Then the contents of the protected
webpage will be downloaded to our website using our
domain name .
We have something like that on the URL field of IE.
Address : http://www.ourdomainname/FakeSSL.html
then we have the contents of the index page of example.com
in the browsing area and the SSL lock (right corner).
*Remember that we are in the fake website all that time.
If inside the index page links and forms use virtual
pointers to directories or files
(e.g. images/ or form/submit.php) we can use the trust
of the visitor and steal information.
(e.g. via submit forms).
NOTE: the lock in the right corner doesnt work, if you
click it says "this type of document does not have security
certificate" which mean that this lock shouldnt be there ,
in case that a visitor will check the certificate only in
the the popup window at the begining of the session and after
loading the webpage will not check the validity using the right
corner lock, then we fake the certificate.
Proof Of Concept Code
< html>
< head>
< title>Your Page Title</title>
< meta http-equiv="REFRESH"
content="0;url=https://www.example.com/">
< META HTTP-EQUIV="Content-Type" CONTENT="text/html;">
< /HEAD>
< BODY onUnload='window.location=""'>
< /BODY>
< /HTML>
====
FIX
====
Do not use virtual directories , instead use the real path or url
Refresh access to the root directory
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt