Serious security Flaw in Microsoft Internet Explorer - Zone Spoofing ------ Risk: POTENTIALLY HIGH. Potentially allowing any possible action on the client machine, including reading any file, placing Trojan code or altering data. The risk depends on the security settings in the 'Intranet zone'. --------- Scope: Client browser. Microsoft Internet explorer 4.x 5.x. (IE 6 seems to be not vulnerable). OS versions scope not known. This vulnerablility was discoved on windows 2000 SP2 with the latest security and office updates. ---------------- Background: Microsoft internet explorer security is dependant on different 'security zones'. These zones (Local Intranet zone and Internet zone) can have different security settings in regards to scripting and ActiveX execution. A lot of individuals and companies (including Microsoft) are depending on these zones to allow custom written activeX controls (unsigned and unsafe for scripting) to run on their internal intranet or network. A flaw has been discovered in Internet Explorer that can bypass these zones and ‘fool’ the browser into believing an Internet site resides in the local intranet zone. This has as result that malicious website owners could potentially operate (and execute malicious code) in the users local intranet zone by luring surfers to their site with specially crafted URL’s. In order for this Flaw to be dangerous, the user would have to have lower security settings in the intranet zone then in the Internet zone. ---------------------- Technical details: Example: An option in a basic authenticated site is to pass on a username (and/or password) in the URL like this: http://mike@msdn.microsoft.com Another possibility is to convert an IP address into a dotless IP address; such an address is also called a DWORD address (some proxy servers, routers or web servers do not allow this). http://msdn.microsoft.com - IP: 207.46.239.122 Convert this IP address to a DWORD address: 207 * 16777216 = 3472883712 46 * 65536 = 3014656 239 * 256 = 61184 122 * 1 = 122 ------------------------------------------------ + = 3475959674 This DWORD address can be used to visit the site like: http://3475959674 If we combine the URL login option with the DWORD IP address we’ll get the following URL: http://mike@3475959674 The browser still thinks we are in the internet zone as expected. Now we change the @ sign to its ASCII equivalent (%40): ------------------------ http://mike%403475959674 ------------------------ Using this link, the browser thinks the Internet site we are in is the local intranet zone! ------------------------ Disclosure details: The flaw has been discovered by Michiel Kikkert from Kikkert Security and Microsoft was notified on the 26th of July. Since then, Microsoft has been working hard to make core changes to Internet Explorer and to develop a patch to resolve this issue. An official Microsoft patch that will fix this can be found at the following address: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-051.asp (URL may wrap) Kind Regards, Michiel Kikkert – security@kikkert.nl Kikkert Security. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
