By Razvan Peteanu (razvan.peteanu@home.com) for securityportal.com
Transcripx f @ tfox (fatfox@yesky.com)
Translation: Fatfox
Source: Green Corps BBS http://www.vertarmy.org/bbs/
URL structure
Let's take a closer look at the URLs and the security meaning associated therez. A "interesting" URL utilization method has been found for a spammer, but now "KNOWledge Base) deceived and February published in Crypto-gram article, has made URLs can do more thing.
Although most of the Internet users link WWW addresses or FTPs, Uniform Resource Locators (URL, Uniform Resource Locator) is more common. The standard of URLs is specified in RFC 1738, and the most common form is defined as:
:
Part is the name of the network protocol, and part is defined as:
//: @: /
Only part of them is necessary. ":": "And" @ "characters have special meaning, so the server can parse the complete string. If the username and password are included in the URL, the part is only starting from the" @ "character. Look at the example in KB spoofing :
http://www.microsoft.com&item=q209354@www.hwnd.net/pub/mskb/q209354.asp
The real host is "www.hwnd.net". "Www.microsoft.com" is just a fake username in this URL, and the server ignores it.
Although the above example is syntax, it may cause problems related to security. On the Internet node terminal, not a NIC, MODEMS or computer, but people. They have a conscious or unconscious, considering whether there is something on the screen. trustworthy.
Trust is the most basic safety evaluation. Like the above example with deceptive URL, we use our trust in the URLS format in common sense. This deception also uses us to focus the main attention to the main content rather than the URL Address (although sometimes URL can help us judgment the credibility) This fact. SSL protected site, give a part to the credible judgment work to the browser, the browser compares the domain with SSL authentication information; on the other If the destination host is fictitious, only relying on encryption technology does not provide too many useful evaluations.
hide
About URL analysis is simply hidden its true destination. We can use a better way to hide. Some causes (possibly due to internal processing), some operating systems operate on IP addresses Not through our usual format, like: aaa.bbb.ccc.ddd, but the corresponding decimal number.
Above this type of address can be rewritten into a decimal value: AAA * 256 ^ 3 BBB * 256 ^ 2 CCCC * 256 DDD. In this way, 3633633987 is 216.148.218.195 (belonging to www.redhat.com Red Hat Company). You can In the browser, you will find that you have come to the Redhat company's website. The above operations can use IE5.x or Lynx under Linux, but do not test other operating systems, there may be a lot. Some The software will prompt your input prompt "Illegal URLS", but you can use very little software (including common tools, such as ping), you can judge whether this operating system supports this URLS.
If the operating system supports this use, you can create a bigger confusion by constructing the URL: http://www.toronto.com: ontario @ 3633633987 /, this URL still refers to Redhat. Because many websites All HTTP's sessionID exists in the URL, instead of using cookies, so the Internet user does not pay attention to the digital value in the URL, so that the above constructed URL will not bring any doubts. The password portion can be omitted, so http: // Www.toronto.com@3633633987/ is more confused. Now we can use some http knowledge: Anchor (anchor) tag allows the text to be displayed to refer to a connection not a text itself so that we can write a connection to http: //www.toronto.com, then set the connected text into anchor, connect this anchor to http://www.toronto.com@3633633987/, is it very dangerous, if you click on this connection, still Bring you to Redhat.
Another utilization of trust is provided by the interconnect address of the trusted site. Many well-known websites record the URLs of the boot visitor through the following format: "http://www.thisisarespectables.com/outsidelinks/HTTP: // ExternalSite ", after the server is captured, redirect the user to the target website.
This allows anyone to use this indirect addressing service, by using the URL confusion, give fraudulent URLs to more legitimacy. You can limit the input value of the HTTP submission area to avoid illegal inputs, but Few of the website is doing.
If you feel that the above is not enough, you can also use Unicode encoding, write the real destination URL to write through the Unicode code, and then resolve into a true purpose.
These are not new things for "knowledge profound" garbage advertising makers, but it is very useful for users who use users who don't have doubt.
One-Click attack
Below, we discuss URL security issues.
Many "standard" attacks can start from the buffer, but now this overflow is not well found. So, what should we do?
In the registry, there is the following key value: hkey_local_machine \Software \classes \Protocols \dler, there is "url protocol" subkey under HKEY_CLASSES_ROOT ot@ (You can search for these keys). You can find it. FTP: //, https: //, mailto: //, news: //, pnm: // and other protocols. There are many protocols that have not been seen before, such as MSEE: / /. By fast test, I found that MSEE: // is used by "Microsoft Encyclopedia", which may be used to access internal articles. Does "Microsoft Benco" will cause buffers overflow, if yes, What do actually use? These are deeper research.
We can find a lot of URL constructs added when installing software (such as COPERNIC: // is generated). In addition, you can also use scripting language to modify the victim registry to add our URL structure. Scripting can use VBS Preparation, then send past by email, then ......... You can use this URL structure to cause buffers overflow. Although this looks not big, but how much is some contact, so I said together.
