Links Relacionados

Pesquisa

quarta-feira, 14 de julho de 2004

Falha em Certificados Digitais.

Bom Dia povo!!
Esse post vai pra aqueles que sempre acreditam que o certificado digital do site esta sempre seguro, deem uma lida ae, o exploit ta na explicação tbm!!

#########################################
Application: Internet Explorer
Vendors: http://www.microsoft.com
Version: 6.0.2800
Platforms: Windows
Bug: Certificate Stealing (Phising)
Risk: Medium
Exploitation: Remote with browser
Date: 30 Apr 2004
Author: Emmanouel Kellinis
e-mail: me@cipher(dot)org(dot)uk
web: http://www.cipher.org.uk
List : BugTraq(SecurityFocus)
ID: securityfocus.com/bid/10248/
#########################################


=======
Product
=======
A popular Web browser, created by Microsoft,
used to view pages on the World Wide Web.

===
Bug
===

In Internet Explorer enables someone to use an
ssl certificate in a website which belongs to
someone else.A combination Refresh and OnUnload
on BODY tag. This bug can be used in
Phising scams.



Lets say that we want to use example.com
certificate.


We point with REFRESH Meta Tag that website.

< meta http-equiv="REFRESH"
content="0;url=https://www.example.com/"
>

Then inside our BODY tag we use onUnload to inform
the webbrowser what to do when it will unload that
webpage (using the window.location method).

< BODY onUnload='window.location=""' >

The result of that will be,
the browser will inform us if we want to use the
certificate of example.com (If we trust that party
we will say yes)Then the contents of the protected
webpage will be downloaded to our website using our
domain name .

We have something like that on the URL field of IE.
Address : http://www.ourdomainname/FakeSSL.html
then we have the contents of the index page of
example.com in the browsing area and the SSL lock
(right corner).

*Remember that we are in the fake website all that
time.


If inside the index page links and forms use relative
pointers to directories or files
(e.g. images/ or form/submit.php) we can use the trust
of the visitor and steal information.
(e.g. via submit forms).

NOTE: the lock in the right corner doesnt work, if you
click it says "this type of document does not have
security certificate" which mean that this lock shouldnt
be there , in case that a visitor will check the
certificate only in the the popup window at the begining
of the session and after loading the webpage will not
check the validity using the right corner lock, then
we fake the certificate.

=====================
Proof Of Concept Code
=====================

< html>
< head>
< title>Your Page Title
< meta http-equiv="REFRESH"
content="0;url=https://www.example.com/">

< META HTTP-EQUIV="Content-Type" CONTENT="text/html;">

< /HEAD>
< BODY onUnload='window.location=""'>

< /BODY>
< /HTML>

====
FIX
====
Do not use relative directories , instead use the
real path or url

Refresh access to the root directory


Mais informações: http://www.cipher.org.uk/

Nenhum comentário: