Spoofing of url-adreslocator
Hi, Many browser's like Netscape,Firefox,Konquerer can be spoofed at the url-adreslocator, see: http://secunia.com/multiple_browsers_idn_spoofing_test/
On Mon, Feb 07, 2005 at 09:22:44PM +0100, Richard Farla wrote:
Hi,
Many browser's like Netscape,Firefox,Konquerer can be spoofed at the url-adreslocator, see:
Yes. We are working on this issue and release patches if we have them. Ciao, Marcus
Marcus Meissner wrote:
On Mon, Feb 07, 2005 at 09:22:44PM +0100, Richard Farla wrote:
Many browser's like Netscape,Firefox,Konquerer can be spoofed at the url-adreslocator, see:
We are working on this issue and release patches if we have them.
Just for reference, Mozilla 1.7.5 x86_64 [Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20041220] did not pop up a window (error message about not finding www.paypal.com was what happened), so I guess it is NOT vulnerable. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
On Mon, Feb 07, 2005 at 04:00:42PM -0600, Joe Morris (NTM) wrote:
Marcus Meissner wrote:
On Mon, Feb 07, 2005 at 09:22:44PM +0100, Richard Farla wrote:
Many browser's like Netscape,Firefox,Konquerer can be spoofed at the url-adreslocator, see:
We are working on this issue and release patches if we have them.
Just for reference, Mozilla 1.7.5 x86_64 [Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20041220] did not pop up a window (error message about not finding www.paypal.com was what happened), so I guess it is NOT vulnerable. --
It could be that your DNS is not resolving the fake www.paypаl.com (the letter before l is not "a") and not that mozilla is not vulnerable. Here, www.paypаl.com resolves to 198.41.1.35, while real www.paypal.com resolves to 216.113.188.34 216.113.188.64 216.113.188.33 216.113.188.65 216.113.188.66 216.113.188.35 Cut and paste this string into a shell (do not retype it) and see what it returns: dig www.paypаl.com For comparison, I am getting this: ; <<>> DiG 9.2.4 <<>> www.paypаl.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58955 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.payp\208\176l.com. IN A ;; ANSWER SECTION: www.payp\208\176l.com. 586 IN A 198.41.1.35 ;; Query time: 2 msec ;; SERVER: 172.21.1.126#53(172.21.1.126) ;; WHEN: Mon Feb 7 16:51:15 2005 ;; MSG SIZE rcvd: 49 -Kastus
Hello, On Monday 07 February 2005 16:53, Kastus wrote:
On Mon, Feb 07, 2005 at 04:00:42PM -0600, Joe Morris (NTM) wrote:
Marcus Meissner wrote:
...
It could be that your DNS is not resolving the fake www.paypаl.com (the letter before l is not "a") and not that mozilla is not vulnerable.
Here, www.paypаl.com resolves to 198.41.1.35, while real www.paypal.com resolves to 216.113.188.34 216.113.188.64 216.113.188.33 216.113.188.65 216.113.188.66 216.113.188.35
Cut and paste this string into a shell (do not retype it) and see what it returns:
Another technique is this (again, using copy-and-past, not typed entry): % echo "http://www.paypаl.com/" |od -c 0000000 h t t p : / / w w w . p a y p 320 0000020 260 l . c o m / \n 0000030 Here the fact that the second 'a' in "paypal" is not what it might appear to be is quite obvious.
...
-Kastus
Randall Schulz
Kastus wrote:
On Mon, Feb 07, 2005 at 04:00:42PM -0600, Joe Morris (NTM) wrote:
Just for reference, Mozilla 1.7.5 x86_64 [Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20041220] did not pop up a window (error message about not finding www.paypal.com was what happened), so I guess it is NOT vulnerable. --
It could be that your DNS is not resolving the fake www.paypаl.com (the letter before l is not "a") and not that mozilla is not vulnerable.
Here, www.paypаl.com resolves to 198.41.1.35, while real www.paypal.com resolves to 216.113.188.34 216.113.188.64 216.113.188.33 216.113.188.65 216.113.188.66 216.113.188.35
Cut and paste this string into a shell (do not retype it) and see what it returns:
dig www.paypаl.com
For comparison, I am getting this:
; <<>> DiG 9.2.4 <<>> www.paypаl.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58955 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.payp\208\176l.com. IN A
;; ANSWER SECTION: www.payp\208\176l.com. 586 IN A 198.41.1.35
;; Query time: 2 msec ;; SERVER: 172.21.1.126#53(172.21.1.126) ;; WHEN: Mon Feb 7 16:51:15 2005 ;; MSG SIZE rcvd: 49
-Kastus
Well, I think that it definitely wasn't my DNS, as the following will show (first was typed in, 2nd (after rereading your post) is the copy/pasted one. joe@jmorris64:~> dig www.paypal.com ; <<>> DiG 9.3.0 <<>> www.paypal.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7305 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.paypal.com. IN A ;; ANSWER SECTION: www.paypal.com. 366 IN A 216.113.188.32 www.paypal.com. 366 IN A 216.113.188.33 www.paypal.com. 366 IN A 216.113.188.34 www.paypal.com. 366 IN A 216.113.188.35 www.paypal.com. 366 IN A 216.113.188.64 www.paypal.com. 366 IN A 216.113.188.65 www.paypal.com. 366 IN A 216.113.188.66 ;; AUTHORITY SECTION: paypal.com. 1225 IN NS ns1.nix.paypal.com. paypal.com. 1225 IN NS ns1.sc5.paypal.com. paypal.com. 1225 IN NS ns2.nix.paypal.com. paypal.com. 1225 IN NS ns2.sc5.paypal.com. ;; ADDITIONAL SECTION: ns1.nix.paypal.com. 127048 IN A 64.4.240.70 ns1.sc5.paypal.com. 127048 IN A 64.4.244.70 ns2.nix.paypal.com. 127048 IN A 64.4.240.71 ns2.sc5.paypal.com. 127048 IN A 64.4.244.71 ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 7 20:43:59 2005 ;; MSG SIZE rcvd: 288 joe@jmorris64:~> dig www.paypаl.com ; <<>> DiG 9.3.0 <<>> www.paypаl.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26552 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUESTION SECTION: ;www.payp\208\176l.com. IN A ;; ANSWER SECTION: www.payp\208\176l.com. 900 IN A 198.41.1.35 ;; AUTHORITY SECTION: com. 46346 IN NS b.gtld-servers.net. com. 46346 IN NS c.gtld-servers.net. com. 46346 IN NS d.gtld-servers.net. com. 46346 IN NS e.gtld-servers.net. com. 46346 IN NS f.gtld-servers.net. com. 46346 IN NS g.gtld-servers.net. com. 46346 IN NS h.gtld-servers.net. com. 46346 IN NS i.gtld-servers.net. com. 46346 IN NS j.gtld-servers.net. com. 46346 IN NS k.gtld-servers.net. com. 46346 IN NS l.gtld-servers.net. com. 46346 IN NS m.gtld-servers.net. com. 46346 IN NS a.gtld-servers.net. ;; ADDITIONAL SECTION: b.gtld-servers.net. 108927 IN A 192.33.14.30 b.gtld-servers.net. 108186 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 31139 IN A 192.26.92.30 d.gtld-servers.net. 30509 IN A 192.31.80.30 e.gtld-servers.net. 31139 IN A 192.12.94.30 f.gtld-servers.net. 31139 IN A 192.35.51.30 g.gtld-servers.net. 31139 IN A 192.42.93.30 h.gtld-servers.net. 110999 IN A 192.54.112.30 i.gtld-servers.net. 31139 IN A 192.43.172.30 j.gtld-servers.net. 31139 IN A 192.48.79.30 k.gtld-servers.net. 30509 IN A 192.52.178.30 l.gtld-servers.net. 31139 IN A 192.41.162.30 m.gtld-servers.net. 29335 IN A 192.55.83.30 ;; Query time: 49 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 7 20:44:41 2005 ;; MSG SIZE rcvd: 493 I couldn't see the difference in the message, but a copy/paste revealed the difference, but I had gone to the site mentioned and clicked on the link they said to check. It said if I was vulnerable, it should have come up with paypal in the location bar but page from their site, but it didn't. I just triple checked, and it says "www.paypal.com could not be found. Please check the name and try again." Sorry for the long post. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
On Mon, 07 Feb 2005 20:55:16 -0600, Joe Morris (NTM) wrote
Kastus wrote:
On Mon, Feb 07, 2005 at 04:00:42PM -0600, Joe Morris (NTM) wrote:
Just for reference, Mozilla 1.7.5 x86_64 [Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20041220] did not pop up a window (error message about not finding www.paypal.com was what happened), so I guess it is NOT vulnerable. --
Maybe this is not what your guys currently discuss but I just got an email said that there is a bug in Firefox, Mozilla, Konqueror and Opera about address spoofing. Please check the link http://secunia.com/multiple_browsers_idn_spoofing_test Edwin
edwin wrote:
On Mon, 07 Feb 2005 20:55:16 -0600, Joe Morris (NTM) wrote
Kastus wrote:
On Mon, Feb 07, 2005 at 04:00:42PM -0600, Joe Morris (NTM) wrote:
Just for reference, Mozilla 1.7.5 x86_64 [Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20041220] did not pop up a window (error message about not finding www.paypal.com was what happened), so I guess it is NOT vulnerable.
Maybe this is not what your guys currently discuss but I just got an email said that there is a bug in Firefox, Mozilla, Konqueror and Opera about address spoofing.
Please check the link
http://secunia.com/multiple_browsers_idn_spoofing_test This is the test I checked, and if their explanation of the test is correct, my mozilla (see above), whether because of version or arch, does not seem to be vulnerable. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
Joe Morris (NTM) wrote:
edwin wrote:
Maybe this is not what your guys currently discuss but I just got an email said that there is a bug in Firefox, Mozilla, Konqueror and Opera about address spoofing.
Please check the link
http://secunia.com/multiple_browsers_idn_spoofing_test This is the test I checked, and if their explanation of the test is correct, my mozilla (see above), whether because of version or arch, does not seem to be vulnerable. For completeness, I tried Konqueror 3.3.2 x86_64, and it is vulnerable. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
participants (6)
-
edwin -
Joe Morris (NTM) -
Kastus -
Marcus Meissner -
Randall R Schulz -
Richard Farla