Re: [Full-disclosure] Phishing using IE7 local resource vulnerability
Hi Robert, Protected Mode and UAC are different security features. But even though, it is possible to access local resource (res://) links with Protected Mode and UAC features enabled. You can test it yourself here: http://www.raffon.net/research/ms/ie/navcancl/cnn.html or watch the demo video here: http://raffon.net/videos/ie7navcancl.wmv. The only way to mitigate this vulnerability by an out-of-the-box security feature is to set the security level of the Internet Zone to High. This will disable javascript: links, so the user will not be able to click the Refresh the page. link in the navcancl.htm local resource page. But, I doubt anyone will do that when they can simply just avoid clicking any link in the Navigation Canceled page. --Aviv. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 5:13 PM To: bugtraq@securityfocus.com Subject: Re: Phishing using IE7 local resource vulnerability This appears to be mitigated in Vista by Protected Mode, which is on by default, and denies access to local resources. If people decide to disable UAC, they must accept the potential risks that come with it, such as this XSS attack. I appreciate that this is a valid risk for XP. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishing using IE7 local resource vulnerability
Indeed. This should work, as Restricted Sites Zone is in High security level by default. To correct myself, I meant that this was the only way _I can think of_ to mitigate this vulnerability using an out-of-the-box security feature. --Aviv. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Murphy Sent: Thursday, March 15, 2007 11:46 PM To: avivra Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Phishing using IE7 local resource vulnerability On 3/15/07, avivra [EMAIL PROTECTED] wrote: Hi Robert, Protected Mode and UAC are different security features. But even though, it is possible to access local resource (res://) links with Protected Mode and UAC features enabled. You can test it yourself here: http://www.raffon.net/research/ms/ie/navcancl/cnn.html or watch the demo video here: http://raffon.net/videos/ie7navcancl.wmv. The only way to mitigate this vulnerability by an out-of-the-box security feature is to set the security level of the Internet Zone to High. This will disable javascript: links, so the user will not be able to click the Refresh the page. link in the navcancl.htm local resource page. But, I doubt anyone will do that when they can simply just avoid clicking any link in the Navigation Canceled page. --Aviv. On XP SP2 (and probably Vista), you can block the exploitation of this by disabling script execution for the res:// scheme specifically. Note that I didn't try blocking the specific resource involved in the attack. If you attempt to add res://* or res://ieframe.dll/navcancl.htm to the Restricted Sites zone, this results in an entry for about:internet being added. After doing this, the Refresh the page text is no longer a clickable link. Removing the about:internet entry reverses the change. It seems that making this change blocks scripts in ANY resource, even without the wildcard. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishing using IE7 local resource vulnerability
On 3/15/07, avivra [EMAIL PROTECTED] wrote: Hi Robert, Protected Mode and UAC are different security features. But even though, it is possible to access local resource (res://) links with Protected Mode and UAC features enabled. You can test it yourself here: http://www.raffon.net/research/ms/ie/navcancl/cnn.html or watch the demo video here: http://raffon.net/videos/ie7navcancl.wmv. The only way to mitigate this vulnerability by an out-of-the-box security feature is to set the security level of the Internet Zone to High. This will disable javascript: links, so the user will not be able to click the Refresh the page. link in the navcancl.htm local resource page. But, I doubt anyone will do that when they can simply just avoid clicking any link in the Navigation Canceled page. --Aviv. On XP SP2 (and probably Vista), you can block the exploitation of this by disabling script execution for the res:// scheme specifically. Note that I didn't try blocking the specific resource involved in the attack. If you attempt to add res://* or res://ieframe.dll/navcancl.htm to the Restricted Sites zone, this results in an entry for about:internet being added. After doing this, the Refresh the page text is no longer a clickable link. Removing the about:internet entry reverses the change. It seems that making this change blocks scripts in ANY resource, even without the wildcard. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Phishing using IE7 local resource vulnerability
Summary Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users. Affected versions . Windows Vista - Internet Explorer 7.0 . Windows XP - Internet Explorer 7.0 Workaround / Suggestion Until Microsoft fixes this vulnerability, do not trust the Navigation Canceled page! Technical Details and Proof-of-Concept Can be found here: http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability .aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishing using IE7 local resource vulnerability
quite cool, good work On 3/14/07, avivra [EMAIL PROTECTED] wrote: Summary Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users. Affected versions . Windows Vista - Internet Explorer 7.0 . Windows XP - Internet Explorer 7.0 Workaround / Suggestion Until Microsoft fixes this vulnerability, do not trust the Navigation Canceled page! Technical Details and Proof-of-Concept Can be found here: http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability .aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
