IE URL vulnerability exploits have begun

Chris Yuzik chris at FRACTALWEB.COM
Sun Jan 11 23:39:15 GMT 2004 

Hi Everyone,

I was looking through the MailWatch reports and noticed a couple very
high scoring spam...well over 100. Upon closer inspection, the emails
had triggered the custom rule many of us added that severely punishes
any message that attempts to obscure the "real" url by exploiting (yet
another) gaping hole in Internet Explorer.

This email comes in "allegedly" from the Bank of America asking the user
to verify their account information. Yeah...ok. Here's the href part of
the anchor tag:
www.bankofamerica.com
(line breaks added by me)
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01@%32%31%31%2E%32%33%2E%36%35%2E%38%34:%38%30/%77%77
%77/%62%6F%61/%73%74%61%74%65%5F%63%67%69%2E%70%68%70

Decoded, the above URL seems to be (assuming my hex to dec to ascii
conversion is correct): "211.23.65.84:80/www/boa/srare_cgi.pnp"

I've looked up the IP at samspade.org and it's owned by:

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

I tried to visit the site but perhaps it's already been shut down...or
perhaps it's too busy to handle my request.

If you haven't already done so, I strongly suggest everyone get medieval
on this exploit and kill it before it arrives in your user's inboxes.
This time it was Bank of America. Next it will be Visa, Mastercard,
Amex, or who knows.

I have the following rule in spam.assassin.prefs.conf:
uri     IE_VULN         /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
score   IE_VULN         100.0
describe        IE_VULN Internet Explorer vulnerability

I can't help but ask myself why Microsoft refuses to fix this
vulnerability. Mozilla doesn't suffer from it and Konqueror doesn't
either (long live open source). It's not like it was just discovered
yesterday. Does anyone have a good conspiracy theory?

Cheers,
Chris

More information about the MailScanner mailing list