Microsoft Edge/Internet Explorer Certificate Error Url Spoofing (MS16-009/MS16-011)

2016-06-16 / 2016-06-18
Credit: Kacper
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2016-0077
CWE: CWE-19


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Microsoft Edge/Internet Explorer Certificate Error Url Spoofing Tested on Windows 10 x64 Edge Version: 20.10240.16384.0 Internet Explorer Version: 11.0.10240.16431 Overview: Microsoft Edge is a web browser developed by Microsoft and included in the company's Windows 10 operating systems, replacing Internet Explorer as the default web browser on all device classes. https://en.wikipedia.org/wiki/Microsoft_Edge https://www.microsoft.com/en-us/windows/microsoft-edge Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads, or in service packs, and included in the Original Equipment Manufacturer (OEM) service releases of Windows 95 and later versions of Windows. https://en.wikipedia.org/wiki/Internet_Explorer http://windows.microsoft.com/en-us/internet-explorer/ Vulnerability description: What presents these screenshots? The certificate error on domain http://kacperrybczynski.com/? No! (tip: certificate error over http ?) Error concerning the certificate but occurs in another domain (not http://kacperrybczynski.com/), but where?? The browser interprets headers first, then current url and more... Spoofing works when in response Edge/IE receive "Location:" parameter, (HTTP 302). How it can be used in nature? Simply by using Open Redirect vulnerability or HTTP Response Splitting to trick victim to accept unsecure certificate by the trust to domain visible in URI. PoC: http://kacperrybczynski.com/research/microsoft_edge_certificate_error_url_spoof/poc/ PoC source code: <?php header("Location: https://elo.devilteam.pl/"); ?> Reference: https://en.wikipedia.org/wiki/Spoofed_URL Disclosure Timeline: 2015-10-27 - Vulnerability reported to vendor 2016-02-19 - CVE-2016-0077 2016-02-19 - Release fix in Microsoft Security Bulletin MS16-009/MS16-011 Reported by: Kacper RybczyƄski (@kacperybczynski)

References:

http://kacperrybczynski.com/research/microsoft_edge_certificate_error_url_spoof/
http://kacperrybczynski.com/research/microsoft_edge_certificate_error_url_spoof/poc/
https://en.wikipedia.org/wiki/Microsoft_Edge
https://www.microsoft.com/en-us/windows/microsoft-edge
https://en.wikipedia.org/wiki/Internet_Explorer
http://windows.microsoft.com/en-us/internet-explorer/
http://technet.microsoft.com/security/bulletin/MS16-011
http://technet.microsoft.com/security/bulletin/MS16-009


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top