Internet Explorer URL Display problem

Julian Field mailscanner at ecs.soton.ac.uk
Wed Dec 10 20:50:51 GMT 2003


At 20:37 10/12/2003, you wrote:
>Julian Field wrote:
>
>>At 20:05 10/12/2003, you wrote:
>>
>>>Antony Stone wrote:
>>>
>>>>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>>>
>>>>>Off the top of my head, could you not do a simple SA rule like so:
>>>>>
>>>>>describe IE_VULN Body of email contains %01@ in a url
>>>>>uri IE_VULN / %01@/
>>>>>score IE_VULN 10.0
>>>>>
>>>>>Which would look for that pattern in a url.
>>>>
>>>>The above isn't specific to finding the pattern in a URL
>>>
>>>Agreed
>>>
>>>>- although admittedly
>>>>I can't think of a valid reason why you'd expect to see a %01
>>>>anywhere, URL
>>>>or not.
>>>>
>>>>Note by the way that the original notification referred to the %01 being
>>>>*after* the @ sign, not before it (before too many people go off and
>>>>concoct
>>>>various pattern matches for the wrong pattern!)
>>>Indeed, that's what I thought. But looking at the html source of the
>>>proof of concept, the following is used:
>>>
>>><button
>>>onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
>>>
>>>style="font: 8pt verdana, sans-serif;">
>>>            Test Exploit
>>>        </button>
>>>
>>>Obviously the pattern could be extended to look for a-z,0-9 etc after
>>>the @
>>
>>
>>Should
>>
>>uri IE_VULN /%01.*@/
>>score IE_VULN 10.0
>>describe IE_VULN Internet Explorer vulnerability
>>
>>work?
>
>consider a recipe..
>
>Add chemical X to a %01 solution of Sugar and Spice and Everything Nice
>Bake @ 400 degrees.
>Send off to capture Mojo Jo Jo.
>
>I think it would match.

No it shouldn't.
That's why I made it a URI test and not just a body or rawbody test. From
the SA docs:
            The 'uri' in this case is a list of all the URIs in the body of the
            email, and the test will be run on each and every one of those
            URIs, adjusting the score if a match is found. Use this test
            instead of one of the body tests when you need to match a URI, as
            it is more accurately bound to the start/end points of the URI, and
            will also be faster.
And it needs to be a * and not a + as you don't need any text between %01
and @. I don't see the need to try to match a country code before the %01
either, what happens when they put in a space %20 or other unprintable (or
nearly invisible) character? I feel you are adding restrictions to the
test, which the hacker can easily work around.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list