Spoofed URL’s w/ Obfuscation and Preference Hijacking

On 03.22.10, In Browser Security, by Michael

URL obfuscation has been around for awhile. In a nutshell, it’s simply concatenating IP octets into hex and then turning it into a decimal number. The result is a URL similar to: http://1249717651/ As you see, there is no real way to know whether your on the Official Google web page or if the site [...]

URL obfuscation has been around for awhile. In a nutshell, it’s simply concatenating IP octets into hex and then turning it into a decimal number.

The result is a URL similar to: http://1249717651/

As you see, there is no real way to know whether your on the Official Google web page or if the site you are at is an attack site waiting for you to do something.

Google Dotless URL

All your URL are belong to us

You can easily place a random website location as a username in front of the dotless IP which would really confuse the user. In this example, I will show you how to forge the www.bing.com URL but really direct the user to Google.com:

See hyperlink: http://www.bing.com:\@1249717651

Browser inSecurity

Ok so, now that you understand how simple URL obfuscation is; what security do browsers implement to prevent us from accidentally clicking on a malicious link?

With FireFox 3.6

Because the spoofed URL is actually a username that is being concatenated with the dotless IP, FireFox checks whether the site requires authentication. The default installation prompts the user with an alert letting them know the link is suspicious because the requested server does not require authentication however the link contained a login.

Firefox Prompt

With IE7/8, using authentication in line is turned completely off.

Hacking the Gibson

Ok, so we understand there is a potential hazard with spoofed URL’s and we also see that browsers attempt to protect us by either prompting us with a message or disabling the opportunity all together. But just how secure is that? How easy would it be for a trojan to re-enable those features in our favorite browser for future contamination of URL’s?

IE7/8 Instability

Since Microsoft loves to store settings in the registry for just about everything, I am sure you won’t be surprised to know that by adding 2 simple entries in the registry you can re-enable this “feature”.

All you have to do is create 2 new DWORD entries (iexplore.exe and explorer.exe) with the value 0 under the sub-key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

How Firefox flops

Of course Firefox is going to be a little bit more tricky because it doesn’t store its preferences in the registry. The little warning message can be completely disabled by simply setting a custom preferences within Firefox by accessing the settings through typing, about:config in the address bar but that won’t work for our circumstance.

The problem with this is that an attacker that has already infiltrated a machine can overwrite these browser profile settings by injecting a custom setting into prefs.js which is the preferences Firefox loads during initialization.

user_pref(“network.http.phishy-userpass-length”,100);

With a simple one-liner batch script, this feature can be enabled leaving future links prone to becoming spoofed.

  • WindowsXP
    FOR /R “C:\Documents and Settings” %%G IN (prefs.js) DO echo user_pref(“network.http.phishy-userpass-length”,100); >> %%G
  • Vista/7
    FOR /R “C:\USERS” %%G IN (prefs.js) DO echo user_pref(“network.http.phishy-userpass-length”,100); >> %%G

And then there was Chrome

As frightening as this might sound, Chrome did not protect the user from this at all. Google is usually on-top of things but I guess with Chrome still being fairly immature in the browser arena, we can only hope things get better from here.

Leaving users with their pants down

Why do browsers make it so easy to re-enable this stuff? Firefox preferences should be in a controlled environment behind lock and key. Microsoft IE should at least prompt when a suspicious link is clicked. With the rise in crime-ware Trojans, harvesting bank credentials is going to get easier and easier for criminals.

Under normal circumstances we would notify the vendors to let them know the vulnerability but because this attack vector has been addressed in the previous years, the re-enabling of the functionality is more of a design flaw then a vulnerability.

What’s Next?

You should periodically check whether or not these settings are enabled. New age trojans, such as ‘Koobface’ are using these oldschool tricks to mask their true locations (See Webroot).

I published a utility called ‘Dotless’ which will scan and fix your browser preferences. Check it out in the Utilities Section

Stay tuned as we peek into how this bug is easily exploited on mobile devices.

All Tags: browser, Chrome, Firefox, IE7/8, insecure preferences, Obfuscation, Proof of Concept, Security, URL spoof

Michael

Security Analyst with a background in software development and corporate IT management.

Visit Authors Website  |  All Articles From This Author

Leave Your Response

* Name, Email, Comment are Required

Login