Konqueror IDN Spoofing Security Issue
Subject : Konqueror IDN Spoofing Security Issue - I figure that everyone is already aware of this but I am posting this just in case... Resume Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/ You can also check out http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/ Konqueror IDN Spoofing Security Issue Source: http://secunia.com/advisories/14162/ Secunia Advisory: SA14162 Release Date: 2005-02-07 Critical: Moderately critical Impact: Spoofing Where: From remote Solution Status: Unpatched Software: Konqueror 3.x Description: Eric Johanson has reported a security issue in Konqueror, which can be exploited by a malicious web site to spoof the URL displayed in the address bar and status bar. The problem is caused due to an unintended result of the IDN (International Domain Name) implementation, which allows using international characters in domain names. This can be exploited by registering domain names with certain international characters that resembles other commonly used characters, thereby causing the user to believe they are on a trusted site. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/ The issue has been confirmed in version 3.2.2. Other versions may also be affected. Solution: Don't follow links from untrusted sources. Manually type the URL in the address bar. Provided and/or discovered by: Originally described by: Evgeniy Gabrilovich and Alex Gontmakher Reported by: Eric Johanson Original Advisory: http://www.shmoo.com/idn/homograph.txt Other References: The Homograph Attack: http://www.cs.technion.ac.il/~gabr/papers/homograph.html ICANN paper on IDN Permissible Code Point Problems: http://www.icann.org/committees/idn/idn-codepoint-paper.htm Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. Send Feedback to Secunia: If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
On Tue, 2005-02-08 at 02:13, James PEARSON wrote:
Subject : Konqueror IDN Spoofing Security Issue - I figure that everyone is already aware of this but I am posting this just in case...
Resume Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/
You can also check out http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/
{snip} Funny thing here, IE isn't vulnerable to this, apparently.
On Tuesday 08 February 2005 14:19, Mike McMullin wrote:
On Tue, 2005-02-08 at 02:13, James PEARSON wrote:
Subject : Konqueror IDN Spoofing Security Issue - I figure that everyone is already aware of this but I am posting this just in case...
Resume Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/
You can also check out http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/
{snip}
Funny thing here, IE isn't vulnerable to this, apparently.
IE does not support IDN out of the box, but if one installs plugin for it like the one from Verisign, IE "supports" the exploit. regards Jonas -- Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -Andrew S. Tanenbaum. Computer Networks.
On Tuesday 08 Feb 2005 13:19, Mike McMullin wrote:
On Tue, 2005-02-08 at 02:13, James PEARSON wrote:
Subject : Konqueror IDN Spoofing Security Issue - I figure that everyone is already aware of this but I am posting this just in case...
Resume Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/
You can also check out http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/
{snip}
Funny thing here, IE isn't vulnerable to this, apparently.
Mozilla Firefox 1.0 (from mozilla site tarball) is not immune to this, but Konqueror (KDE 3.3.2 version) is. "Whoever lays his hand on me to govern me is a usurper and tyrant, and I declare him my enemy." Pierre-Joseph Proudhon, 1849
Mick, On Tuesday 08 February 2005 05:44, Mick Higgins wrote:
On Tuesday 08 Feb 2005 13:19, Mike McMullin wrote:
On Tue, 2005-02-08 at 02:13, James PEARSON wrote:
Subject : Konqueror IDN Spoofing Security Issue - I figure that everyone is already aware of this but I am posting this just in case...
Resume Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/
You can also check out http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/
...
Mozilla Firefox 1.0 (from mozilla site tarball) is not immune to this, but Konqueror (KDE 3.3.2 version) is.
It surely is not "immune" for me, and I'm using Konqueror 3.3.2! If you care to check out URLs, do the the following. The first test is copy (via right-click -> Copy Link Location in Mozilla) of the test link in Secunia page mentioned above. The second was typed by me, same as in the final paragraph below: % echo "http://www.paypаl.com/" |od -c 0000000 h t t p : / / w w w . p a y p 320 0000020 260 l . c o m / \n 0000030 % echo "http://www.paypal.com/" |od -c 0000000 h t t p : / / w w w . p a y p a 0000020 l . c o m / \n 0000027 Note what "od -c" prints for the second 'a' in "paypal". I can't say that I see this as a technological issue. The only real way to deal with it is to refuse to register both http://www.paypаl.com/ and http://www.paypal.com/, e.g., to different organizational entities. Randall Schulz
On Tuesday 08 Feb 2005 15:40, Randall R Schulz wrote:
If you care to check out URLs, do the the following. The first test is copy (via right-click -> Copy Link Location in Mozilla) of the test link in Secunia page mentioned above. The second was typed by me, same as in the final paragraph below:
% echo "http://www.paypаl.com/" |od -c 0000000 h t t p : / / w w w . p a y p 320 0000020 260 l . c o m / \n 0000030
% echo "http://www.paypal.com/" |od -c 0000000 h t t p : / / w w w . p a y p a 0000020 l . c o m / \n 0000027
Note what "od -c" prints for the second 'a' in "paypal".
Randall, When I cut/paste the first URL I get http://www.payp?l.com/ not http://www.paypal.com/ as in the second. So the difference seems obvious. However on piping to od -c the octal(?) output is identical! Maybe it's just my set-up, but I certainly wouldn't click on a URL in an unsolicited email under any circumstances. -- "Whoever lays his hand on me to govern me is a usurper and tyrant, and I declare him my enemy." Pierre-Joseph Proudhon, 1849
Mick, On Wednesday 09 February 2005 06:01, Mick Higgins wrote:
On Tuesday 08 Feb 2005 15:40, Randall R Schulz wrote:
If you care to check out URLs, do the the following. The first test is copy (via right-click -> Copy Link Location in Mozilla) of the test link in Secunia page mentioned above. The second was typed by me, same as in the final paragraph below:
% echo "http://www.paypаl.com/" |od -c 0000000 h t t p : / / w w w . p a y p 320 0000020 260 l . c o m / \n 0000030
% echo "http://www.paypal.com/" |od -c 0000000 h t t p : / / w w w . p a y p a 0000020 l . c o m / \n 0000027
Note what "od -c" prints for the second 'a' in "paypal".
Randall,
When I cut/paste the first URL I get http://www.payp?l.com/ not http://www.paypal.com/ as in the second. So the difference seems obvious. However on piping to od -c the octal(?) output is identical!
Maybe it's just my set-up, but I certainly wouldn't click on a URL in an unsolicited email under any circumstances.
This probably has to do with the locale setting you're using and, for that matter, which version of Linux since they vary in their support for locales and Unicode (and other such stuff with which I'm only marginally familiar). % locale LANG=en_US.UTF-8 LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" Hmmm... It looks like I'm an English speaker in the U.S. How does it know?? Randall Schulz
On Wed, 2005-02-09 at 14:01 +0000, Mick Higgins wrote:
Maybe it's just my set-up, but I certainly wouldn't click on a URL in an unsolicited email under any circumstances.
Nor would probably most of the people on this list, unfortunately, as an IT Director, I see people do it all the time. <soapbox mode on> I have seen people who simply can not resist clicking a link in an e-mail no matter how much they have been warned. They are so mystified by computers that they simply can not understand why it can be dangerous. When their computer crashes and you finally get to the root cause, invariably, they will respond with, well the e-mail came from one of my friends. When you try to explain the concept of spoofed e-mail headers, their eyes glaze over. You might as well have been trying to explain Einstein's Theory of Relativity to them. Most of them literally do not care. They know the Tech Support people will fix their machine if something happens to it. To illustrate how clueless most people are, this is an incident that happened this morning, and I promise I am not making this up. I got a call from a user whose computer had hung when she shut it down yesterday afternoon, and it was still showing the "Windows is shutting down" screen when she arrived this morning. I said, no problem just press the power button and hold it in for about 10 seconds and the computer will shutdown. Then you can restart it. She asked where is the power button? Now mind you, she has turned on this same computer every working day for nearly two years. I thought to myself, you have got to be kidding me? I held my tongue and replied it is the round one on the front of the computer. She replied, Do you mean the ON button? After I replied, yes. I hear her counting out loud. 1,2,3,4,5,6,... when she gets to about 30 I ask did it shut down? Nope, she replies, It still shows the "shutting down screen". After, I silently count to ten, I tell her I'll be right up. I get to her desk and find that she has pushed the power button so hard it has been pushed completely out of case, and she still has her finger on it. After I open the case and re-seat the button in its guide, it shuts right off. +++++ We will have to deal with clueless computer users, until our children, the children of the computer age, are the ones running the show. Or until we start requiring everyone to get a license to operate a computer, and the only way to get the license is to take a mandatory 6 month course complete with written tests. And the penalty for operating a computer without a license is 6 months in jail. Yeah thats the ticket. I must be dreaming... It sounds good anyway.
participants (6)
-
Chuck Stuettgen -
James PEARSON -
Jonas Helgi Palsson -
Mick Higgins -
Mike McMullin -
Randall R Schulz