<$BlogRSDUrl$>

Monday, February 07, 2005

HOMOGRAPH ATTACKS


A story about how implementation of standards across browsers turned into a tragedy

A Hacking idea that was lingering for past couple of years (from 2002) is now implemented practically. This attack poses a security threat to major corporations around the world. A True fact is none of these corporations can take any possible action against this.

All the URL’s are vulnerable in this serious threat and these URL’s can be hacked by using any of the following browsers.
1. Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
2. Safari 1.2.5
3. Opera 7.54
4. Omniweb 5

Internet Explorer is free from this vulnerability :-) Interesting Huh!


Try these links in any of the listed browsers above

Original URL
Click here to enter paypal
Click here to enter paypal via ssl

Spoofed URL (Try using non-IE Browsers)
Click here to enter paypal
Click here to enter paypal via ssl


So What has happened ?
1. Simply, all the browsers implemented a standard called IDN(Internationalized Domain Names), which was pushed by Verisign.
Verisign-IDN Details

2. A Spoof URL was registered for Paypal.com replacing "a" with "а" i.e. #1072(430) a Unicode character in Cyrillic subset, which is legal as per IDN.
This reads "PayPal" to normal users, where as it is "pаypal"

So What can happen
Simply, anybody can create a spoof site to your Bank's login page(Bank of America,HDFC Bank,ICICI Bank), log the credential details and later pass to the original site, now the hacker would have a database of logins and passwords for the bank accounts…
(Phew!! I remember me and kingsly trying a similar hack using DNS Spoof and HOSTS File Spoof, way back in 1997-98, to grab hotmail passwords :) to win a bet )

Isn’t it devasting ?! This Trick was actually demonstrated at the end of shmoocon 2005 Hacker’s conference by EricJ

Read more on how an implementation of standards turned into a tragedy at
http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf

http://www.shmoo.com/idn/homograph.txt

and the real demonstration at http://www.shmoo.com/idn/

How to Avoid this
Except Firefox, no other browser has a way to block this.
If you are a firefox user, type "about:config" at address bar, search for "idn" and set the property to false. You are now safe.

Other Browser users are doomed.

Fine… but how did IE escaped this attack?! Answer is simple, IE is a bit old on some standards and remember we don’t have any recent updates for IE. Which means IDN standard is not implemented in IE.

Update: Paul Hoffman, co-author of IDN standard, has a post where he proposes a list of effective set of solutions for IDN Spoofing: http://lookit.proper.com/archives/000302.html#000302

posted by Logu Krishnan : 4:34 AM

Comments:
Hi,
I read your article on code-project http://www.codeproject.com/csharp/CsManagedEventSinksHooks.asp

Basically I am completely new to MS Exchange server and the whole event trigger juglery.

I tried getting the samples given by Exchange SDk working with my Exchange server by following instructions given on

http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/_esdk_samples_events_intro.asp

But I keep getting errors like
"Error opening connection: -2147217895 Object or data matching the name, range, or selection criteria was not found within the scope of this operation.. This program must be run on an Exchange Server."

"Error opening connection: -2147217895 Object or data matching the name, range, or selection criteria was not found within the scope of this operation.. This program must be run on an Exchange Server."

"Error opening record: -2147024891 Access is denied.. Error opening connection: -2146105340 Method '~' of object '~' failed. This program must be run on an Exchange Server."

"Error opening connection: -2146105340 Method '~' of object '~' failed. This program must be run on an Exchange Server."

With params -

Folder URL - "file://./backofficestorage/reconnex.gs-lab.com/Public Folder/medha/"

Registration Name - "testreg.eml"

Method(s) - OnSyncSave

Sink Class - "ExEvent.ExEv.1"
(Even tried with "SampleEvtSinkVB.SyncEvents"

I guess there is some setting required at Exchange server that I am missing. It will be really nice if you could provide some information reg. this.

Sorry for contacting you through a blog URL but didn't have any other option :)

If you can provide your contact info, it will be nice.

Thanks so much.

Medha
(medha_atre AT hotmail DOT com)


 
Thanks for reading my article.

I have 2 questions
1. How are you registering your event sink, a code snippet would help to diagnoise the issue.

2. Are you trying to talk to exchange server installed on a remote server ?! If yes, the approach is wrong, as event sinks are server side applications. (Remember file://./ maps to your M Drive of Exchange Server)


 
[url=http://ivlkrwnnz.com]QxXkV[/url] - wmvfeS - http://yuxeflk.com


 
Post a Comment

This page is powered by Blogger. Isn't yours?