Internet Explorer URL Display problem

Wed Dec 10 20:59:13 GMT 2003

Julian Field wrote:

> At 20:37 10/12/2003, you wrote:
>
>> Julian Field wrote:
>>
>>> At 20:05 10/12/2003, you wrote:
>>>
>>>> Antony Stone wrote:
>>>>
>>>>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote:
>>>>>
>>>>>> Off the top of my head, could you not do a simple SA rule like so:
>>>>>>
>>>>>> describe IE_VULN Body of email contains %01@ in a url
>>>>>> uri IE_VULN / %01@/
>>>>>> score IE_VULN 10.0
>>>>>>
>>>>>> Which would look for that pattern in a url.
>>>>>
>>>>>
>>>>> The above isn't specific to finding the pattern in a URL
>>>>
>>>>
>>>> Agreed
>>>>
>>>>> - although admittedly
>>>>> I can't think of a valid reason why you'd expect to see a %01
>>>>> anywhere, URL
>>>>> or not.
>>>>>
>>>>> Note by the way that the original notification referred to the %01
>>>>> being
>>>>> *after* the @ sign, not before it (before too many people go off and
>>>>> concoct
>>>>> various pattern matches for the wrong pattern!)
>>>>
>>>> Indeed, that's what I thought. But looking at the html source of the
>>>> proof of concept, the following is used:
>>>>
>>>> <button
>>>> onclick="location.href=unescape('http://www.microsoft.com*%01@*zapthedingbat.com/security/ex01/vun2.htm');"
>>>>
>>>>
>>>> style="font: 8pt verdana, sans-serif;">
>>>>            Test Exploit
>>>>        </button>
>>>>
>>>> Obviously the pattern could be extended to look for a-z,0-9 etc after
>>>> the @
>>>
>>>
>>>
>>> Should
>>>
>>> uri IE_VULN /%01.*@/
>>> score IE_VULN 10.0
>>> describe IE_VULN Internet Explorer vulnerability
>>>
>>> work?
>>
>>
>> consider a recipe..
>>
>> Add chemical X to a %01 solution of Sugar and Spice and Everything Nice
>> Bake @ 400 degrees.
>> Send off to capture Mojo Jo Jo.
>>
>> I think it would match.
>
>
> No it shouldn't.
> That's why I made it a URI test and not just a body or rawbody test. From
> the SA docs:
>            The 'uri' in this case is a list of all the URIs in the body
> of the
>            email, and the test will be run on each and every one of those
>            URIs, adjusting the score if a match is found. Use this test
>            instead of one of the body tests when you need to match a
> URI, as
>            it is more accurately bound to the start/end points of the
> URI, and
>            will also be faster.
> And it needs to be a * and not a + as you don't need any text between %01
> and @. I don't see the need to try to match a country code before the %01
> either, what happens when they put in a space %20 or other unprintable (or
> nearly invisible) character? I feel you are adding restrictions to the
> test, which the hacker can easily work around.

Good catch!
Thanks for the info about uri test.
Ken A.
Pacific.Net

> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>