COMMAND

    IE

SYSTEMS AFFECTED

    IE

PROBLEM

    Perkere Stinker  found following.   It's trivial  to trick  a user
    into  accepting  a  bookmark  for  a  popular  site,  uh, lets say
    www.hotmail.com .. or placing it yourself.  Users wont be able  to
    access  www.hotmail.com  by  typing  the  url  in the address bar,
    they'll get redirected to whatever the bookmark points to.

    This could easily  be used for  putting up 'fake  pages' on public
    accessible computers, like at libraries, schools etc.  Where pages
    like hotmail/google/msn are often accessed.  That could give you a
    lot of nice usernames/passwords.  And a lot of crap.

    It's fairly feasible concept.

        1) attacker  places javascript  on a  public website  to add a
           bookmark  for  www.onlinebankx.com   (and  possibly   other
           commonly  visited  sites  where  a  username and a password
           might be needed) which is actually www.attackersite.com.
        2) attacker  sets  up  a  mirror  of  www.onlinebankx.com   on
           www.atackersite.com.
        3) attacker then sets up  some method to draw people  to visit
           public website (free porn, for example).
        4) victim visits public website, gets several bookmarks added.
        5) if  the attacker  is lucky,  the victim  eventually goes to
           visit one of those bookmarks which pulls up the fake site.
        6) victim   enters   their    username   and   password    for
           www.onlinebankx.com at which time the attacker records such
           information as entered.
        7) an  error  page  is  then  displayed  and  victim  is  then
           forwarded on to the real site, unaware that their  username
           and password have been obtained by the attacker.

    Combine step  1 with  placing malicious  javascript on  vulnerable
    ida iis  sites, and  a worm  to deliver  such a  package, and  the
    number of  possibilities for  this scenerio  to work  gets higher.
    The only two dependent variables  are: wether joe user running  IE
    visits a bookmark effecting site and wether joe user will go to  a
    possibly redirected website.

    Examples:
    1) searched  and replaced  bookmark for  yahoo.com or  google.com.
       They  are  replaced  with  commands  such  as  rdisk or perhaps
       something else  with user-level  priv instead.   The next  time
       the  user  wishes  to  search,  they  are  confused  and hacked
       (cracked..   whatever).   this  is  not  a  social   engineered
       exploit, it's a logical one.

    2) links in email or web content which say one thing such as  "you
       have a new greeting  card at www.sweethearts.com", which  point
       to a  malicious site  instead (Favorites  change has occurred),
       which  the  attacker  has  crafted  to  error  out (yet running
       malicious script quietly in  the background) then redirects  to
       the real site.  This is YOUR combo of social/logical.

    3) and just to bring up my favorite subject again, add Raw  Socket
       priv's for all users to  this equation...you do the math.   The
       possibilities then become endless!

    Another thing  was pointed  out by  Kyle L.   He was  playing with
    Favorites   and   added    a   favorite   with    the   name    of
    'www.dsakfjhasdfj.com'  and  set  it  to  point  to  the   address
    'c:\command.com'. dont include the '' characters.....

    He then typed in 'www.dsakfjhasdfj.com' in the address bar and  it
    loaded  up  the  msdos  command  prompt  window.   You can write a
    javascript  to  add  a  Favorite  or  edit  Startpage  in internet
    explorer.  A window usually pops  up asking if you want to  add it
    as a Favorite or Startpage, but if the security settings are  low,
    it would automatically do it  without asking.  You could  make the
    favorite  point  to  files  on  the  local  system  and  have them
    executed.

SOLUTION

    Opera  and   netscape  both   do  not   direct  themselvs   to   a
    bookmark-title location.  Also, netscape and opera do not  support
    the remotee-bookmark placing 'feature'.

    Anyway, why to use browser anyway ;)