COMMAND
IE
SYSTEMS AFFECTED
IE
PROBLEM
Perkere Stinker found following. It's trivial to trick a user
into accepting a bookmark for a popular site, uh, lets say
www.hotmail.com .. or placing it yourself. Users wont be able to
access www.hotmail.com by typing the url in the address bar,
they'll get redirected to whatever the bookmark points to.
This could easily be used for putting up 'fake pages' on public
accessible computers, like at libraries, schools etc. Where pages
like hotmail/google/msn are often accessed. That could give you a
lot of nice usernames/passwords. And a lot of crap.
It's fairly feasible concept.
1) attacker places javascript on a public website to add a
bookmark for www.onlinebankx.com (and possibly other
commonly visited sites where a username and a password
might be needed) which is actually www.attackersite.com.
2) attacker sets up a mirror of www.onlinebankx.com on
www.atackersite.com.
3) attacker then sets up some method to draw people to visit
public website (free porn, for example).
4) victim visits public website, gets several bookmarks added.
5) if the attacker is lucky, the victim eventually goes to
visit one of those bookmarks which pulls up the fake site.
6) victim enters their username and password for
www.onlinebankx.com at which time the attacker records such
information as entered.
7) an error page is then displayed and victim is then
forwarded on to the real site, unaware that their username
and password have been obtained by the attacker.
Combine step 1 with placing malicious javascript on vulnerable
ida iis sites, and a worm to deliver such a package, and the
number of possibilities for this scenerio to work gets higher.
The only two dependent variables are: wether joe user running IE
visits a bookmark effecting site and wether joe user will go to a
possibly redirected website.
Examples:
1) searched and replaced bookmark for yahoo.com or google.com.
They are replaced with commands such as rdisk or perhaps
something else with user-level priv instead. The next time
the user wishes to search, they are confused and hacked
(cracked.. whatever). this is not a social engineered
exploit, it's a logical one.
2) links in email or web content which say one thing such as "you
have a new greeting card at www.sweethearts.com", which point
to a malicious site instead (Favorites change has occurred),
which the attacker has crafted to error out (yet running
malicious script quietly in the background) then redirects to
the real site. This is YOUR combo of social/logical.
3) and just to bring up my favorite subject again, add Raw Socket
priv's for all users to this equation...you do the math. The
possibilities then become endless!
Another thing was pointed out by Kyle L. He was playing with
Favorites and added a favorite with the name of
'www.dsakfjhasdfj.com' and set it to point to the address
'c:\command.com'. dont include the '' characters.....
He then typed in 'www.dsakfjhasdfj.com' in the address bar and it
loaded up the msdos command prompt window. You can write a
javascript to add a Favorite or edit Startpage in internet
explorer. A window usually pops up asking if you want to add it
as a Favorite or Startpage, but if the security settings are low,
it would automatically do it without asking. You could make the
favorite point to files on the local system and have them
executed.
SOLUTION
Opera and netscape both do not direct themselvs to a
bookmark-title location. Also, netscape and opera do not support
the remotee-bookmark placing 'feature'.
Anyway, why to use browser anyway ;)