Title: Microsoft Internet Explorer Non-FQDN URI Address Zone Bypass Vulnerability
Severity: MODERATE
Description:
Microsoft Internet Explorer is prone to a zone bypass vulnerability. A remote attacker may execute code in the Intranet zone.
The Intranet Zone contains all sites within a local intranet or network. By default this zone is set to Medium-Low, allowing most content within the site to run without prompting the user.
A vulnerability exists in Internet Explorer, which could allow a web site to be viewed in the Intranet Zone, rather than the Internet Zone. Thus, allowing content to be viewed with less-restrictive security settings.
An attacker can exploit this issue by using a non-FQDN URI such as:
http://example%2fwww.example.example.org
It is reported that Internet Explorer examines the part of the URI that is before the '%2f' character to determine the security zone for the site. It then loads the entire URI in the Intranet zone.
Therefore, any malicious content on the attacker-supplied site will run with less restrictive settings.
Content that will run is dependant on the settings in the Local Intranet Zone. Users may have modified or customized the settings to a lower level, expecting that only trusted network/intranet sites will be viewed in this zone.
Successful exploitation of this vulnerability could lead to the execution of malicious script or ActiveX controls.
Update: It is reported that this issue can also be exploited to bypass to other zones. For example, by using a trusted URI, an attacker can access the Trusted zone.
This issue seems to be related to BID 10517 (Multiple Browser URI Obfuscation Weakness).
Update: http-equiv has created a proof of concept for an attack that exploits this vulnerability. This attack can cause malicious content to be rendered in the Trusted Zone. The attack requires that the attacker have control over a DNS server and prior knowledge of a domain specified by the victim as trusted (it may be easy to guess this in targeted attacks). This particular demonstration exploits systems that have specified as trusted the domains associated with Microsoft Windows Update.
Update: Andreas Sandblad reported that the http-equiv proof of concept might also be used as an exploit vector for local buffer overrun vulnerabilities. A 'shell:' URI can be called using 'filename.filetype' as an argument, the application that is the default handler for the filetype listed in the shell URI will be called when the shell URI is processed.
If a buffer overrun vulnerability exists in the filename processing functions of an application that is invoked by a shell URI, the vulnerability described in this BID in conjunction with other vulnerabilities in Internet Explorer (9628 Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability) may be used to pass a malicious filename as an argument to the vulnerable application.
Affected Products:
- Microsoft Internet Explorer 5.0
- Microsoft Internet Explorer 5.0.1
- Microsoft Internet Explorer 5.0.1 SP1
- Microsoft Internet Explorer 5.0.1 SP2
- Microsoft Internet Explorer 5.0.1 SP3
- Microsoft Internet Explorer 5.0.1 SP4
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 5.5 SP1
- Microsoft Internet Explorer 5.5 SP2
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0 SP1
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows Server 2003 Datacenter Edition
- Microsoft Windows Server 2003 Datacenter Edition Itanium
- Microsoft Windows Server 2003 Enterprise Edition
- Microsoft Windows Server 2003 Enterprise Edition Itanium
- Microsoft Windows Server 2003 Standard Edition
- Microsoft Windows Server 2003 Web Edition
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
