[38641] in bugtraq
RE: Capital One's website inadvertently assists phishing
daemon@ATHENA.MIT.EDU (Rager, Anton (Anton))
Thu Apr 28 13:07:38 2005
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_001_01C54B70.2B5EBE1C"
Date: Wed, 27 Apr 2005 15:29:18 -0600
Message-ID: <088D5F677777E344A3DA3478DB305D1108CF31D9@co9510avexu1.global.avaya.com>
From: "Rager, Anton (Anton)" <arager@avaya.com>
To: "Joseph Barillari" <bugtraq@barillari.org>,
"dramatools" <avernon@dramatools.net>
Cc: <bugtraq@securityfocus.com>, <webinfo@capitalone.com>
This is a multi-part message in MIME format.
------_=_NextPart_001_01C54B70.2B5EBE1C
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
This an interesting 'fix'.
It appears that the redirector domain check logic is in the '200 OK'
response from capitalone's server in the form of HTML/Javascript. The
client logic checks the redirect location against a list of valid sites
or a regex match on "capitalone.com" domain. There are several ways to
circumvent this javascript logic:
1 - The check for "capitalone.com" is a simple regex check within the
URL string, so if the attacker can create a valid domain named
"capitalone.com.attacker.com", then it will pass the validation checks
and redirect to the attacker's server.
http://www.capitalone.com/redirect.html?linkid=3DSECURITY+VALIDATION&dest=
=3D
http://capitalone.com.attacker.com
The regex for /capitalone.com/ matches within the URL and allows the
rest of the URL to pass thru.
2 - The check is not actually aware of all the ways URLs can be
formatted, and user@domain can be used to fool the checks. An example
would be "http://www.capitalone.com@attacker.com" for the redirect URL.
This will throw a warning in Firefox and doesn't work with IE, but is a
way around the filter.
http://www.capitalone.com/redirect.html?linkid=3DSECURITY+VALIDATION&dest=
=3D
http://www.capitalone.com@attacker.com
The substring/regex matches on the initial occurrence of
http://capitalone.com, but when the browser decodes the URL it submits a
userID of "http://capitalone.com" to the site "attacker.com".
3 - if an attacker specifies a redirect location early in the URL
without using a :// ref, the :// ref con be placed later in the string
to trick the check logic.
http://www.capitalone.com/redirect.html?linkid=3DSECURITY+VALIDATION&dest=
=3D
//www.attacker.com/http://www.capitalone.com
The substring/regex logic is looking for what follows after the "://"
sequence, so doesn't pay attention to the first portion that actually is
the URL the browser goes to. We have to add the "//" after "dest=3D" to
force the browser to treat the location as another site.
4 - The above idea should also apply to javascript tags, but the server
CGI seems to be forwarding to capitalone.com when there is a match for
the string "script" anywhere in the URL. Odd way to block XSS.....I
wonder why that server-side logic isn't doing the valid site checks as
well?
This means that "javascript:", "livescript", "ecmascript", "jscript:"
and "vbscript:" are blocked, but "mocha:" gets thru if you have a
browser that actually understands that ref like older Netscape (test in
4.7x and it works)
http://www.capitalone.com/redirect.html?linkid=3DSECURITY+VALIDATION&dest=
=3D
mocha:alert(document.domain)//http://www.capitalone.com
I've attached the client-side Javascript validation document for
reference. It's also somewhat interesting what other sites they will
allow redirection to.
These checks really need to analyze URLs more fully and should be done
server-side instead of using client javascript to allow/block redirects.
Regards,
Anton Rager
arager@avaya.com
-----Original Message-----
From: Joseph Barillari [mailto:bugtraq@barillari.org]=20
Sent: Tuesday, April 19, 2005 5:12 PM
To: dramatools
Cc: bugtraq@securityfocus.com; webinfo@capitalone.com
Subject: Re: Capital One's website inadvertently assists phishing
On Tue, Apr 19, 2005 at 05:30:28PM -0500, dramatools wrote:
> However, I clicked your "proof of concept" link and found that the
> redirector did not send me to Wikipedia as expected, but Capital One's
> home page. Perhaps one of their security people is lurking on bugtraq
> and attempted to fix the problem on the spot. I'll keep monitoring
this
> one.
Looks like full disclosure worked. Thanks!
http://barillari.org/blog/computers/internet/conephishing-updated.html=20
Timeline (should be mostly complete):
|13 Apr 01:28:45 -0400|Phishing email exploiting unchecked redirect
arrives|
|13 Apr 01:54:51 -0400|Emailed webinfo@capitalone.com to report it|
|13 Apr 01:53:00 -0400|Blog post
"posted":http://barillari.org/blog/computers/internet/conephishing.html|
|13 Apr 16:29:45 -0400|Inform Capital One of my intention to post to
"bugtraq":http://securityfocus.org/archive/1 in 24 hours|
|13 Apr 16:31:11 -0400|Capital One form letter arrives: "this
[phishing] email has not compromised Capital One's systems in any way,"|
|13 Apr 16:44:42 -0400|Reply to Capital One form letter: "this email
_has_ taken advantage of a compromised Capital One system: Capital One's
website redirects URLs without checking them....please see the note
about bugtraq below"|
|13 Apr 16:47:15 -0400|Another form letter: "A Capital One
representative will respond to your e-mail inquiry, usually within 24 -
48 hours. Please note, due to high email volumes, this timeframe may be
extended to up to 72 hours". I wonder if saying "bugtraq" provokes this
response.|
|19 Apr 16:32:15 -0400|Four business days later (well beyond 72h),
redirect is still unchecked.
"Post":http://www.securityfocus.com/archive/1/396255 bug to bugtraq and
cc Capital One|
|19 Apr 16:53:46 -0400|Reply to Capital One (signed by a human?) form
letter: "the point is that the phishing email _has_ exploited a flaw in
Capital One's systems. Your website permits unchecked redirects. This
makes a phisher's job much, much easier.|
|19 Apr 18:01:00 -0400|A bugtraq subscriber tells me that he's emailed
abuse@capitalone.com (I should have thought of that)|
|19 Apr 14:27:05 -0800|<b>Another bugtraq subscriber tells me that it's
fixed.</b> Checked myself --- apparently, it is.|
|19 Apr 18:55:38 -0400|Send email to webinfo@, thanking them for fixing
the unchecked redirect.|
------_=_NextPart_001_01C54B70.2B5EBE1C
Content-Type: text/plain;
name="capitalone_com-redirect_page.txt"
Content-Transfer-Encoding: base64
Content-Description: capitalone_com-redirect_page.txt
Content-Disposition: attachment;
filename="capitalone_com-redirect_page.txt"
PEhUTUw+IA0KPEhFQUQ+IA0KPHRpdGxlPlJlZGlyZWN0aW5nLi4uLjwvdGl0bGU+IA0KPE1FVEEg
aHR0cC1lcXVpdj0iY2FjaGUtY29udHJvbCIgY29udGVudD0ibm8tY2FjaGUiPiANCjxNRVRBIGh0
dHAtZXF1aXY9InByYWdtYSIgY29udGVudD0ibm8tY2FjaGUiPiANCjxNRVRBIGh0dHAtZXF1aXY9
ImV4cGlyZXMiIGNvbnRlbnQ9IldlZCwgMjYgRmViIDE5OTcgMDg6MjE6NTcgR01UIj4gDQo8U0NS
SVBUIExBTkdVQUdFPSJKYXZhU2NyaXB0Ij4gDQp2YXIgdXJsX3N0ciA9IHRvcC5sb2NhdGlvbi5o
cmVmOyANCnZhciB1cmxfaW5kZXggPSB1cmxfc3RyLmluZGV4T2YoImRlc3Q9Iik7IA0KLy9mb3Ig
aWRlbnRpZnlpbmcgdXJscyBjb250YWluZyAiZ2V0bXljYXJkIiBhbmQgImFwcGx5MiIgDQp2YXIg
ZW50cnlVUkwgPSB3aW5kb3cubG9jYXRpb24uc2VhcmNoLnRvTG93ZXJDYXNlKCk7IA0KdmFyIHRy
dXN0ZWROYW1lcyA9ICJ3d3cudHVjLmNhfHd3dy5lcXVpZmF4LmNhfHd3dy5jb25zdW1lci1hY3Rp
b24ub3JnfHd3dy55b3VyY3JlZGl0Y2FyZGNvbXBhbmllcy5jb218cGh4LmNvcnBvcmF0ZS1pci5u
ZXR8IjsNCnRydXN0ZWROYW1lcyArPSAid3d3LmNiLm5ldHx3d3cuc2Vjb25kaGFydmVzdC5vcmd8
d3d3LmhlYXJ0b2ZhbWVyaWNhLm9yZ3x3d3cuanVtcHN0YXJ0Y29hbGl0aW9uLm9yZ3x3d3cud2hp
dGVob3VzZWRydWdwb2xpY3kuZ292fCI7DQp0cnVzdGVkTmFtZXMgKz0gInd3dy50aGVhbnRpZHJ1
Zy5vcmd8d3d3LmNvdmVyaW5na2lkcy5vcmd8d3d3Lm5hdGlvbmFsLnVuaXRlZHdheS5vcmd8d3d3
LmNhcGl0YWxvbmVtb3J0Z2FnZS5jb218d3d3LmZ1bGxzcGVjdHJ1bWxlbmRpbmcuY29tfCI7DQp0
cnVzdGVkTmFtZXMgKz0gInBhcnRuZXJzLmZpbmFuY2VudGVyLmNvbXx3d3cucGVvcGxlZmlyc3Qu
Y29tfHd3dy5yZWxpYXF1b3RlLmNvbXx3d3cuY2FwaXRhbG9uZWF1dG9maW5hbmNlLmNvbXxjYXBp
dGFsb25lY2FyZWVyc29uZS5jb218IjsNCnRydXN0ZWROYW1lcyArPSAid3d3LmhybWMtYzEuY29t
fHd3dy5saW5rYWdlaW5jLmNvbXx3d3cubmJtYmFhLm9yZ3x3d3cubnNiZS5vcmd8d3d3Lm5zaG1i
YS5vcmd8IjsNCnRydXN0ZWROYW1lcyArPSAid3d3LnJlYWNoaW5nb3V0bWJhLm9yZ3x1c2Eudmlz
YS5jb218d3d3Lm1hc3RlcmNhcmQuY29tfHd3dy5jYXJwYXJ0cy5jb218d3d3LnBsYW5wbHVzLWRp
c2NvdW50cy5jb218IjsNCnRydXN0ZWROYW1lcyArPSAid3d3Lm1pbGVzb25lLmNvbXx3d3cuYWRv
YmUuY29tfHd3dy5lcXVpZmF4LmNvbXx3d3cuZXhwZXJpYW4uY29tfHd3dy50cmFuc3VuaW9uLmNv
bXwiOw0KdHJ1c3RlZE5hbWVzICs9ICJ3d3cudXNhLnZpc2EuY29tfHd3dy5jb25zdW1lci5nb3Z8
d3d3LmZ0Yy5nb3Z8d3d3LnNlY3VyZXN1aXRlLm5ldHx3d3cub2NjYy5zdGF0ZS50eC51c3wiOw0K
dHJ1c3RlZE5hbWVzICs9ICJ3d3cubW9uZXktd2lzZS5vcmd8d3d3Lm1vbmV5d2lzZS11LmNvbXx3
d3cueW91bmdtb25leS5jb218d3d3Lm1pbGVzb25lLmNvbXx3d3cubXljYXBpdGFsb25lcmV3YXJk
cy5jb218IjsNCnRydXN0ZWROYW1lcyArPSAid3d3LmNvbGxlZ2VvbmVjYXJkLmNvbXx3d3cuY2Fw
aXRhbG9uZXNhdmluZ3MuY29tfGNpYi5pYmFua2luZy1zZXJ2aWNlcy5jb218bXkuY2FwaXRhbG9u
ZWF1dG9maW5hbmNlLmNvbXxjYXBpdGFsb25lLm1vcnRnYWdlZXNlcnZpY2VzLmNvbXwiOw0KdHJ1
c3RlZE5hbWVzICs9ICJ3d3cuY2FwaXRhbG9uZS5pbnNsb2dpYy5jb218d3d3LmNhcGl0YWxvbmVp
c2xhbmQuY29tfHd3dy5nZXRteWNhcmQuY29tfHd3dy5jYXBpdGFsb25laG9tZWVxdWl0eS5jb218
d3d3LmNhcGl0YWxvbmVoZWFsdGhjYXJlZmluYW5jZS5jb218IjsNCnRydXN0ZWROYW1lcyArPSAi
c2VjdXJlLmNhcGl0YWxvbmVmaW5hbmNlLmNvbXx3d3cuamFtc2Fkci5jb218d3d3LmFkci5vcmd8
d3d3LmFyYml0cmF0aW9uLWZvcnVtLmNvbXx3d3cuY2FwaXRhbG9uZS5jYXwiOw0KdHJ1c3RlZE5h
bWVzICs9ICJ3d3cuY2FwaXRhbG9uZS5jby51a3x3d3cuY2FwaXRhbG9uZS5pdHx3d3cyLmlyYXNl
cnZpY2VjZW50ZXIuY29tfHd3dy5jb218d3d3LnByb2dyZXNzaXZlLmNvbXwiOw0KdHJ1c3RlZE5h
bWVzICs9ICJ3d3cuQ2FwaXRhbE9uZUF1dG9JbnN1cmFuY2UuY29tfHd3dy5mZGljLmdvdnxjYXBp
dGFsb25lLmluc2xvZ2ljLmNvbXx3d3cuY2l0aXplbnNoZWFsdGguY29tfHd3dy5lYWRpbnN1cmFu
Y2UuY29tfCI7DQp0cnVzdGVkTmFtZXMgKz0gInd3dy5SZW50ZXJzSW5zLmNvbXx3d3cuaW5zdXJl
a2lkc25vdy5nb3Z8Y2FwaXRhbG9uZS5tb3J0Z2FnZWVzZXJ2aWNlcy5jb218d3d3LmJiYi5vcmd8
d3d3LnNiYS5nb3YiOw0KaWYgKHVybF9pbmRleCAhPSAtMSkgeyANCgl2YXIgZG9tYWluX3N0YXJ0
ID0gdXJsX2luZGV4ICsgNTsgDQoJdmFyIHVybF92YWx1ZSA9IHVybF9zdHIuc3Vic3RyaW5nKGRv
bWFpbl9zdGFydCwgdXJsX3N0ci5sZW5ndGgpOyANCgkNCgl2YXIgc2VydmVySW5kZXggPSB1cmxf
dmFsdWUuaW5kZXhPZigiOi8vIik7DQoJaWYgKHNlcnZlckluZGV4ID09IC0xKQ0KCQlsb2NhdGlv
bi5yZXBsYWNlKCJodHRwOi8vd3d3LmNhcGl0YWxvbmUuY29tIik7DQoJDQoJdmFyIHNlcnZlck5h
bWUgPSB1cmxfdmFsdWUuc3Vic3RyKHNlcnZlckluZGV4ICsgMykudG9Mb3dlckNhc2UoKTsNCglp
ZiAoc2VydmVyTmFtZS5pbmRleE9mKCIvIikgIT0gLTEpDQoJCXNlcnZlck5hbWUgPSBzZXJ2ZXJO
YW1lLnN1YnN0cigwLCBzZXJ2ZXJOYW1lLmluZGV4T2YoIi8iKSk7DQoJDQoJaWYgKChzZXJ2ZXJO
YW1lLnNlYXJjaCgvY2FwaXRhbG9uZS5jb20vZ2kpICE9IC0xKSB8fCAodHJ1c3RlZE5hbWVzLnRv
TG93ZXJDYXNlKCkuaW5kZXhPZihzZXJ2ZXJOYW1lKSAhPSAtMSkpIHsNCgkJaWYgKChlbnRyeVVS
TC5zZWFyY2goImdldG15Y2FyZCIpICE9IC0xKSB8fCAoZW50cnlVUkwuc2VhcmNoKCJhcHBseTIi
KSAhPSAtMSkpIHsgDQoJCQl2YXIgcmVmZXJyaW5nVVJMID0gZG9jdW1lbnQucmVmZXJyZXI7IA0K
CQkJaWYocmVmZXJyaW5nVVJMICE9ICIiKSB7DQoJCQkJbG9jYXRpb24ucmVwbGFjZSh1cmxfdmFs
dWUrJyZyZWZlcnJlclVSTD0nK3JlZmVycmluZ1VSTCk7IA0KCQkJfSBlbHNlIHsgDQoJCQkJLy8g
cmVmZXJyaW5nVVJMIGlzIE5VTEwNCgkJCQlpZiAod2luZG93Lm9wZW5lciE9dW5kZWZpbmVkKSB7
IA0KCQkJCQl2YXIgcG9wcmVmVVJMID0gd2luZG93Lm9wZW5lci5sb2NhdGlvbi5ocmVmOyANCgkJ
CQkJbG9jYXRpb24ucmVwbGFjZSh1cmxfdmFsdWUrJyZyZWZlcnJlclVSTD0nK3BvcHJlZlVSTCk7
IA0KCQkJCX0gZWxzZSB7IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAJbG9jYXRp
b24ucmVwbGFjZSh1cmxfdmFsdWUpOyANCgkJCQl9IA0KCQkJfSANCgkJfSBlbHNlIHsgDQoJCQls
b2NhdGlvbi5yZXBsYWNlKHVybF92YWx1ZSk7IA0KCQl9IA0KCX0gZWxzZSB7DQoJCWxvY2F0aW9u
LnJlcGxhY2UoImh0dHA6Ly93d3cuY2FwaXRhbG9uZS5jb20iKTsNCgl9DQp9DQo8L1NDUklQVD4g
DQo8L0hFQUQ+PG5vc2NyaXB0PjxwPllvdSBkbyBub3QgaGF2ZSBKYXZhU2NyaXB0IGVuYWJsZWQu
IFBsZWFzZSByZS1lbmFibGUgSmF2YVNjcmlwdCBhbmQgdHJ5IGFnYWluLiA8L3A+IA0KPHA+PGEg
aHJlZj0iLyI+Q29udGludWU8L2E+PC9wPiANCjwvbm9zY3JpcHQ+IA0KDQo8L0hUTUw+DQo=
------_=_NextPart_001_01C54B70.2B5EBE1C--
