> Subject: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition > From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx> > Date: Thu, June 10, 2004 12:35 pm > To: full-disclosure@xxxxxxxxxxxxxxxx > -------------------------------------------------------------- > ------------ > > > > Thursday, June 10, 2004 > > The following was presented by 'bitlance winter' of Japan today: > > <a href="http://www.microsoft.com%2F redir=www.e- > gold.com">test</a> > > Quite inexplicable from these quarters. Perhaps someone with > server 'knowledge' can examine it. > > It carries over the address into the address bar: > > [screen shot: http://www.malware.com/gosh.png 72KB] > > while redirecting to egold. The key being %2F without that it > fails. The big question is where is the 'redir' and why is it > only applicable [so far] to e-gold. Other sites don't work and e- > gold is running an old Microsoft-IIS/4.0. IE makes this into a connection with e-gold.com like so: GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 1.0.3705) Host: www.microsoft.com/ redir=www.e-gold.com Connection: Keep-Alive It never touches microsoft.com. What is interesting, though, is IE spoofs the zone. If you change www.microsoft.com in there to a site in your trusted zone, you will see e-gold read as your trusted zone. So, you should be able to bounce from any trusted zone and theoritically from local zone -- and with adodb still being open, you should be able to run code because of the open adodb issue. IE doesn't talk to e-gold first. It connects to it. It sends the GET request, it receives the first page. But, can't replicate with other servers. It requires some more research. > > Working Example: > > http://www.malware.com/golly.html > > > credit: 'bitlance winter' > > > End Call > > -- > http://www.malware.com > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > >
