RE: [Fwd: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition]

To: <full-disclosure@xxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: [Fwd: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition]
From: "Drew Copley" <dcopley@xxxxxxxx>
Date: Thu, 10 Jun 2004 16:39:49 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcRPQeXF1WUDvivfSOONXZn7C83wswAAFykQ
Thread-topic: [Fwd: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition]



> Subject: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition
> From:    "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
> Date:    Thu, June 10, 2004 12:35 pm
> To:      full-disclosure@xxxxxxxxxxxxxxxx
> --------------------------------------------------------------
> ------------
> 
> 
> 
> Thursday, June 10, 2004
> 
> The following was presented by 'bitlance winter' of Japan today:
> 
> <a href="http://www.microsoft.com%2F redir=www.e-
> gold.com">test</a>
> 
> Quite inexplicable from these quarters. Perhaps someone with
> server 'knowledge' can examine it.
> 
> It carries over the address into the address bar:
> 
> [screen shot: http://www.malware.com/gosh.png 72KB]
> 
> while redirecting to egold. The key being %2F without that it
> fails. The big question is where is the 'redir' and why is it
> only applicable [so far] to e-gold. Other sites don't work and e-
> gold is running an old Microsoft-IIS/4.0.


IE makes this into a connection with e-gold.com like so:

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
1.1.4322; .NET CLR 1.0.3705)
Host: www.microsoft.com/ redir=www.e-gold.com
Connection: Keep-Alive

It never touches microsoft.com.

What is interesting, though, is IE spoofs the zone. If you change
www.microsoft.com
in there to a site in your trusted zone, you will see e-gold read as
your
trusted zone.

So, you should be able to bounce from any trusted zone and theoritically
from
local zone -- and with adodb still being open, you should be able to
run code because of the open adodb issue.

IE doesn't talk to e-gold first. It connects to it. It sends the GET
request,
it receives the first page. 

But, can't replicate with other servers. It requires some more research.


> 
> Working Example:
> 
> http://www.malware.com/golly.html
> 
> 
> credit: 'bitlance winter'
> 
> 
> End Call
> 
> -- 
> http://www.malware.com
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
>

Prev by Date: RE: Potential Security Flaw in Symantec Gateway Security 360R
Next by Date: FOUND: COELACANTH: Phreak Phishing Expedition
Previous by thread: [0xbadc0ded #04] smtp.proxy <= 1.1.3
Next by thread: FOUND: COELACANTH: Phreak Phishing Expedition
Index(es):
- Date
- Thread