[Full-Disclosure] RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition
jkuperus at planet.nl
Sat Jun 19 03:31:09 BST 2004
>As a addendum, perhaps, though I wouldn't doubt someone
>might make some nice proof of concept code for this...
Don't mind if I do :)
The following demo will read out your logon name and your logon domain, or
at least it should :)
The url used is http://jelmer%2fwww.jelmer.homedns.org
The problem is that ie looks at the part before the %2f to determine the
security zone etc but then loads the url in it's entirety, like this
http://jelmer - used to determine the zone
http://jelmer/www.jelmer.homedns.org - loaded
IE treats any url it sees without a period in it such as http://jelmer as
part of the Local Intranet Zone
>From the intranet zone we can easily obtain the logon name because Automatic
logon thru NTLM is enabled by default in the intranet zone.
Code at http://jelmer.homedns.org/code.zip
I excluded the rather large jcifs jar, you can download it from
http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder
Full-Disclosure is hosted and sponsored by Secunia.