Pocket IE on a Windows Mobile Pocket PC suffers from Unicode URL obfuscation, local file access, and cross site scripting vulnerabilities.
bec395013c609fcafb8b6c84f0300549081528029323dea25c5102ec9493c217<html>
<head>
<title>Pocket IE Attack Test Page</title>
</head>
<body>
<p><strong><a href="http://www.airscanner.com"><img src="../../images/logo.jpg" width="161" height="54" border="0"></a></strong></p>
<p><strong>Note: this will only work in Pocket IE on a Windows Mobile Pocket PC</strong></p>
<p><strong>Pocket IE Attack Overview</strong><br>
There are several weaknesses in Pocket IE that can be used to trick end users
into submitting local and/or sensitive data, such as usernames and passwords.
The potential for exploiting these vulnerabilities are restricted only by an
attacker’s imagination. However, Pocket IE is not as powerful as its big
brother, and as such, an attacker is limited in what techniques she can use
to launch the attack. For example, Pocket IE has no support for the IFrame tag,
which is extremely useful in XSS and browser-based attacks. In addition, Pocket
IE does not support every JavaScript command commonly used by attackers. The
final example presented below is an attempt to combine these individual flaws
into one attack and is only meant to serve as a proof of concept. </p>
<p><strong>Flaw 1: Unicode URL Obsfucation</strong><br>
Severity: Low<br>
This particular attack is not new and has previously plagued PC-based browsers.
Pocket IE (Windows Mobile SE 2003) is also vulnerable to this problem. In addition,
Pocket IE processes the http protocol in a </p>
<protocol>://user:pass@website format. This itself is not a problem, but
when combined with a Unicode URL it can cause confusion and mislead end users.<br>
<br>
Example: <br>
http://www.airscanner.com = 69.0.200.106 = %36%39%2E%30%2E%32%30%30%2E%31%30%36<br>
<br>
Abuse: http://www.paypal.com&login.rand-%00%01AE67D12EF9090AB933@%36%39%2E%30%2E%32%30%30%2E%31%30%36/<br>
Will take you to http://www.airscanner.com/ not http://www.paypal.com<br>
<strong><br>
Flaw 2: Local File Access</strong><br>
Pocket IE will launch local files and either load them into the browser for viewing
or launch them using their default program. This includes, but is not limited
to, the following file types (these links are subject to OEM variations and may
or may not work on your PDA). Click on each file type to test:
<ul>
<li><a href="file://\windows\VehicleML.pxt')"><u>xls</u></a></li>
<li> <a href="file://\windows\clndr.htm"><u>htc & htp (in IE)</u></a></li>
<li> <a href="file://\windows\Backlight.cpl')"><u>cpl items</u></a></li>
<li> <a href="file://\windows\initdb.ini')"><u>ini files (in IE)</u></a></li>
<li> <a href="file://\windows\Win_Start.2bp')"><u>2bp images (in IE)</u></a></li>
<li> <a href="file://\windows\StartUp')"><u>go to any folder</u></a></li>
<li> <a href="file://\%00')"><u>go to 00 (root) folder</u></a></li>
</ul>
<p><strong>Flaw 3: <div> Tag XSS</strong><br>
Severity: Low<br>
Strictly speaking, this is not a flaw. However, it helps provide a vector for
attack, so it is worth mentioning. As it turns out, if a local file can be loaded
into a framed window in Pocket IE, and this local file contains a named <div></div>
section, then that section can be overwritten from a cojoined framed webpage.
This is accomplished via JavaScript using 'innerHTML'. With this ability, the
loaded local webpage can be overwritten by a loaded remote webpage. This type
of attack does not work against webpages loaded from a remote host.</p>
<p><strong>Combination Attack</strong><br>
The following example assumes one thing: that the attacker knows a folder name
of the temporary IE store. These folders are randomly named each time a PDA
is hard reset. Once set, they will remain as created even if deleted. The proof
of concept assumes you know this folder name, or have access to this information.
It only takes a second to browse to the '\Windows\Profiles\guest\Temporary Internet
Files\Content.IE5' directory to learn these folder names.</p>
<p>This attack will demonstrate how having access to a local file can be a problem.
Via URL obfuscation, <div> based XSS, and local file access, this attack
will demonstrate how a www.paypal.com username/password information can be captured
from an unsuspecting end user. The following steps demonstrate this flaw. All
captured information will be emailed to your 'paypal' email address...really,
you can trust me. </p>
<ol>
<li>Clear Pocket IE history, cookie cache, and files (Tools-->Memory in Pocket
IE) and reboot device.</li>
<li> Look up www.paypal.com into Pocket IE.</li>
<li> Open File Explorer and go to \Windows\Windows\Profiles\guest\Temporary
Internet Files\Content.IE5\ directory and locate file 'paypal[1]'. Note the
folder name.</li>
<li> Go to <a href="http://www.paypal.com&login.rand-%00%01AE67D12EF9090AB933@%36%39%2E%30%2E%32%30%30%2E%31%30%36/tests/ie_flaw/ie1.htm">http://www.paypal.com</a>
and enter folder name when prompted (you must click this link, this takes
you to http://www.airscanner.com/tests/ie_flaw/ie1.htm, not paypal.com).</li>
<li> Let page 'load' and hit 'Yes' for certificate requests.</li>
<li>Enter username and password and submit.</li>
</ol>
<p>You will be sent to a page that briefly shows you the captured information,
and then passed to Paypal.com for actual login. Thats it...but that should be
enough.</p>
<p>We have notified Microsoft of this flaw.<br>
Credit: Seth Fogie Jan 22, 2005<br>
© 2005 <a href="http://www.airscanner.com">Airscanner Corp</a>. <br>
</p>
<p><br>
</p>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed