New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 24)
· Marcia's (CO8)
· Bill G's (CO12)
· Paul's (AR 5)
· Robin's (AR 2)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1170
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsFavForums 

Internet Explorer Address Bar Spoofing Exploit Filter

 
Post new topic   Reply to topic       Computer Cops Forum Index -> Proxo Filters
View previous topic :: View next topic  
Author Message
Kye-U

Sergeant
Sergeant



Joined: Oct 18, 2003
Posts: 147

PostPosted: Tue Dec 23, 2003 2:27 am    Post subject: Internet Explorer Address Bar Spoofing Exploit Filter
Reply with quote

Quote:
A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.

The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the uname and right before the "@" character in an URL.


Author's Note: Version 5 will not produce any false matches, as it is more specific in what to detect as malicious coding.

Recommendation for hardcore IE Users: Use this filter with the Unofficial Patch for this Exploit (Version 2 has all bugs fixed): http://www.openwares.org/downloads/IEpatch.EXE

Code:
[Patterns]
Name = "Fix: Spoofed Address v5 [Kye-U]"
Active = TRUE
URL = "(^$TYPE(css))"
Bounds = "$NEST(<(([a-z]+)|*=)\s,>)"
Limit = 512
Match = "\0://(\1.([a-z]+{2,4})|*.*/\1)(?%00|(((%|\&#)0(1|0))+{1,2}))[^/]++[@|%40]\2"
Replace = "\0://\2"
          "$ALERT(Internet Explorer URL Spoofing Vulnerability Detected and Modified)"


Test Pages:

http://membres.lycos.fr/proxoforum/test.html
http://www.secunia.com/internet_explore...fing_test/
http://www.zapthedingbat.com/security/ex01/vun1.htm
http://security.openwares.org/
Back to top
View users profile Send private message
surfer

Trooper
Trooper



Joined: Mar 31, 2003
Posts: 14
Location: Canada

PostPosted: Tue Dec 23, 2003 8:16 pm    Post subject:
Reply with quote

Tried out your filter and it works very well. Very Happy
Back to top
View users profile Send private message
Kye-U

Sergeant
Sergeant



Joined: Oct 18, 2003
Posts: 147

PostPosted: Tue Dec 23, 2003 9:20 pm    Post subject:
Reply with quote

Thank you surfer =)

I've spent many hours in total working on this filter.
Back to top
View users profile Send private message
k027

1st Responder
1st Responder



Joined: Aug 25, 2003
Posts: 1251
Location: USA

PostPosted: Tue Dec 23, 2003 11:13 pm    Post subject:
Reply with quote

Thanx for the link to the updated patch.
Back to top
View users profile Send private message
Kye-U

Sergeant
Sergeant



Joined: Oct 18, 2003
Posts: 147

PostPosted: Mon Dec 29, 2003 7:24 pm    Post subject:
Reply with quote

Version 3.0 of Unoffical patch released.

Redirects to local page.

http://security.openwares.org/
Back to top
View users profile Send private message
kbirger

Trooper
Trooper



Joined: Jan 16, 2004
Posts: 18
Location: USA

PostPosted: Fri Jan 16, 2004 7:46 pm    Post subject:
Reply with quote

show me an example of one of these links so i can see how it works for me?Smile
Back to top
View users profile Send private message
Kye-U

Sergeant
Sergeant



Joined: Oct 18, 2003
Posts: 147

PostPosted: Fri Jan 16, 2004 10:34 pm    Post subject: Re: Internet Explorer Address Bar Spoofing Exploit Filter
Reply with quote

Kye-U wrote:
Test Pages:

http://membres.lycos.fr/proxoforum/test.html
http://www.secunia.com/internet_explore...fing_test/
http://www.zapthedingbat.com/security/ex01/vun1.htm
http://security.openwares.org/
Back to top
View users profile Send private message
kbirger

Guest






PostPosted: Fri Jan 16, 2004 11:11 pm    Post subject:
Reply with quote

wow, i feel stupid Sad
Back to top
Kye-U

Sergeant
Sergeant



Joined: Oct 18, 2003
Posts: 147

PostPosted: Wed Jan 28, 2004 1:11 pm    Post subject:
Reply with quote

Here are the final versions of my IE Spoofing Filter(s| Pack) [Too much filter writing for me!]. I've decided that this Replacement method is much more safer and makes the spoofing/phishing attempt more noticable to the user.

I recommend using the Alert version!

Code:
[Patterns]
Name = "Fix: Spoofed Address v6 [Kye-U]"
Active = FALSE
URL = "(^$TYPE(css))"
Bounds = "$NEST(<(([a-z]+)|*=)\s,</([a-z]+)>)"
Limit = 512
Match = "\0://(\1.([a-z]+{2,4})|*.*/\1)(?%00|(((%|\&#)0(1|0))+{1,2}))[^/]++[@|%40]\2"
Replace = "<a href="http://local.ptron/killed.html">[IE Address Bar Exploit Removed]</a>"


With Alert
Code:
[Patterns]
Name = "Fix: Spoofed Address v6 [Kye-U]"
Active = FALSE
URL = "(^$TYPE(css))"
Bounds = "$NEST(<(([a-z]+)|*=)\s,</([a-z]+)>)"
Limit = 512
Match = "\0://(\1.([a-z]+{2,4})|*.*/\1)(?%00|(((%|\&#)0(1|0))+{1,2}))[^/]++[@|%40]\2"
Replace = "<a href="http://local.ptron/killed.html">[IE Address Bar Exploit Removed]</a>"
          "$ALERT(Internet Explorer URL Spoofing Vulnerability Detected and Removed on:\n\n\u)"


Test Pages:

http://membres.lycos.fr/proxoforum/test.html
http://www.secunia.com/internet_explore...fing_test/
http://www.zapthedingbat.com/security/ex01/vun1.htm
http://security.openwares.org/
Back to top
View users profile Send private message
ZapTheDingbat

Guest






PostPosted: Wed Feb 04, 2004 8:08 am    Post subject: Official Patch Realeased
Reply with quote

Microsoft Realease an official patch
http://go.microsoft.com/?LinkID=396029
Back to top
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Proxo Filters All times are GMT - 5 Hours
Page 1 of 1

 
 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops