Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Phishing using IE7 local resource vulnerability
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Thu, 15 Mar 2007 14:46:16 -0700

On 3/15/07, avivra <avivra () gmail com> wrote:
Hi Robert,

Protected Mode and UAC are different security features.
But even though, it is possible to access local resource ("res://") links
with Protected Mode and UAC features enabled. You can test it yourself here:
http://www.raffon.net/research/ms/ie/navcancl/cnn.html or watch the demo
video here: http://raffon.net/videos/ie7navcancl.wmv.
The only way to mitigate this vulnerability by an out-of-the-box security
feature is to set the security level of the "Internet Zone" to "High". This
will disable "javascript:" links, so the user will not be able to click the
"Refresh the page." link in the navcancl.htm local resource page.
But, I doubt anyone will do that when they can simply just avoid clicking
any link in the "Navigation Canceled" page.


On XP SP2 (and probably Vista), you can block the exploitation of this
by disabling script execution for the res:// scheme specifically.
Note that I didn't try blocking the specific resource involved in the

If you attempt to add "res://*" or "res://ieframe.dll/navcancl.htm" to
the Restricted Sites zone, this results in an entry for
"about:internet" being added.  After doing this, the "Refresh the
page" text is no longer a clickable link.  Removing the
"about:internet" entry reverses the change.  It seems that making this
change blocks scripts in ANY resource, even without the wildcard.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]