| View previous topic :: View next topic |
| Author |
Message |
Kye-U
Sergeant
Joined: Oct 18, 2003
Posts: 149
|
 Posted: Tue Dec 23, 2003 2:27 am Post subject: Internet Explorer Address Bar Spoofing Exploit Filter |
|
|
| Quote: |
A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.
The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the uname and right before the "@" character in an URL. |
Author's Note: Version 5 will not produce any false matches, as it is more specific in what to detect as malicious coding.
Recommendation for hardcore IE Users: Use this filter with the Unofficial Patch for this Exploit (Version 2 has all bugs fixed): http://www.openwares.org/downloads/IEpatch.EXE
| Code: |
[Patterns]
Name = "Fix: Spoofed Address v5 [Kye-U]"
Active = TRUE
URL = "(^$TYPE(css))"
Bounds = "$NEST(<(([a-z]+)|*=)\s,>)"
Limit = 512
Match = "\0://(\1.([a-z]+{2,4})|*.*/\1)(?%00|(((%|\&#)0(1|0))+{1,2}))[^/]++[@|%40]\2"
Replace = "\0://\2"
"$ALERT(Internet Explorer URL Spoofing Vulnerability Detected and Modified)" |
Test Pages:
http://membres.lycos.fr/proxoforum/test.html
http://www.secunia.com/internet_explore...fing_test/
http://www.zapthedingbat.com/security/ex01/vun1.htm
http://security.openwares.org/
|
|
| Back to top |
|
 |
surfer
Trooper
Joined: Mar 31, 2003
Posts: 14
Location: Canada
|
| Posted: Tue Dec 23, 2003 8:16 pm Post subject: |
|
|
Tried out your filter and it works very well.  |
|
| Back to top |
|
|
Kye-U
Sergeant
Joined: Oct 18, 2003
Posts: 149
|
| Posted: Tue Dec 23, 2003 9:20 pm Post subject: |
|
|
Thank you surfer =)
I've spent many hours in total working on this filter. |
|
| Back to top |
|
|
k027
1st Responder
Joined: Aug 25, 2003
Posts: 1252
Location: USA
|
| Posted: Tue Dec 23, 2003 11:13 pm Post subject: |
|
|
| Thanx for the link to the updated patch. |
|
| Back to top |
|
|
Kye-U
Sergeant
Joined: Oct 18, 2003
Posts: 149
|
| Posted: Mon Dec 29, 2003 7:24 pm Post subject: |
|
|
Version 3.0 of Unoffical patch released.
Redirects to local page.
http://security.openwares.org/ |
|
| Back to top |
|
|
kbirger
Trooper
Joined: Jan 16, 2004
Posts: 18
Location: USA
|
| Posted: Fri Jan 16, 2004 7:46 pm Post subject: |
|
|
show me an example of one of these links so i can see how it works for me? |
|
| Back to top |
|
|
Kye-U
Sergeant
Joined: Oct 18, 2003
Posts: 149
|
| Posted: Fri Jan 16, 2004 10:34 pm Post subject: Re: Internet Explorer Address Bar Spoofing Exploit Filter |
|
|
| Kye-U wrote: |
Test Pages:
http://membres.lycos.fr/proxoforum/test.html
http://www.secunia.com/internet_explore...fing_test/
http://www.zapthedingbat.com/security/ex01/vun1.htm
http://security.openwares.org/ |
|
|
| Back to top |
|
|
kbirger
Guest
|
| Posted: Fri Jan 16, 2004 11:11 pm Post subject: |
|
|
wow, i feel stupid  |
|
| Back to top |
|
|
Kye-U
Sergeant
Joined: Oct 18, 2003
Posts: 149
|
| Posted: Wed Jan 28, 2004 1:11 pm Post subject: |
|
|
Here are the final versions of my IE Spoofing Filter(s| Pack) [Too much filter writing for me!]. I've decided that this Replacement method is much more safer and makes the spoofing/phishing attempt more noticable to the user.
I recommend using the Alert version!
| Code: |
[Patterns]
Name = "Fix: Spoofed Address v6 [Kye-U]"
Active = FALSE
URL = "(^$TYPE(css))"
Bounds = "$NEST(<(([a-z]+)|*=)\s,</([a-z]+)>)"
Limit = 512
Match = "\0://(\1.([a-z]+{2,4})|*.*/\1)(?%00|(((%|\&#)0(1|0))+{1,2}))[^/]++[@|%40]\2"
Replace = "<a href="http://local.ptron/killed.html">[IE Address Bar Exploit Removed]</a>" |
With Alert
| Code: |
[Patterns]
Name = "Fix: Spoofed Address v6 [Kye-U]"
Active = FALSE
URL = "(^$TYPE(css))"
Bounds = "$NEST(<(([a-z]+)|*=)\s,</([a-z]+)>)"
Limit = 512
Match = "\0://(\1.([a-z]+{2,4})|*.*/\1)(?%00|(((%|\&#)0(1|0))+{1,2}))[^/]++[@|%40]\2"
Replace = "<a href="http://local.ptron/killed.html">[IE Address Bar Exploit Removed]</a>"
"$ALERT(Internet Explorer URL Spoofing Vulnerability Detected and Removed on:\n\n\u)" |
Test Pages:
http://membres.lycos.fr/proxoforum/test.html
http://www.secunia.com/internet_explore...fing_test/
http://www.zapthedingbat.com/security/ex01/vun1.htm
http://security.openwares.org/
|
|
| Back to top |
|
|
ZapTheDingbat
Guest
|
| Posted: Wed Feb 04, 2004 8:08 am Post subject: Official Patch Realeased |
|
|
Microsoft Realease an official patch
http://go.microsoft.com/?LinkID=396029 |
|
| Back to top |
|
|
|
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
