Advertisement






Microsoft Edge/Internet Explorer Certificate Error Url Spoofing (MS16-009/MS16-011)

CVE Category Price Severity
CVE-2016-0077 CWE-347 $50,000 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2016-06-16
CPE
cpe:cpe:/a:microsoft:edge:internet_explorer
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016060116

Below is a copy:

Microsoft Edge/Internet Explorer Certificate Error Url Spoofing (MS16-009/MS16-011)Microsoft Edge/Internet Explorer Certificate Error Url Spoofing
Tested on Windows 10 x64
Edge Version: 20.10240.16384.0
Internet Explorer Version: 11.0.10240.16431

Overview:
Microsoft Edge is a web browser developed by Microsoft and included in the company's Windows 10 operating systems, replacing Internet Explorer as the default web browser on all device classes.

https://en.wikipedia.org/wiki/Microsoft_Edge
https://www.microsoft.com/en-us/windows/microsoft-edge

Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads, or in service packs, and included in the Original Equipment Manufacturer (OEM) service releases of Windows 95 and later versions of Windows.

https://en.wikipedia.org/wiki/Internet_Explorer
http://windows.microsoft.com/en-us/internet-explorer/

Vulnerability description:
What presents these screenshots? The certificate error on domain http://kacperrybczynski.com/? No! (tip: certificate error over http ?)
Error concerning the certificate but occurs in another domain (not http://kacperrybczynski.com/), but where??
The browser interprets headers first, then current url and more... Spoofing works when in response Edge/IE receive "Location:" parameter, (HTTP 302).
How it can be used in nature? Simply by using Open Redirect vulnerability or HTTP Response Splitting to trick victim to accept unsecure certificate by the trust to domain visible in URI.

PoC:
http://kacperrybczynski.com/research/microsoft_edge_certificate_error_url_spoof/poc/

PoC source code:
<?php
header("Location: https://elo.devilteam.pl/");
?>

Reference:
https://en.wikipedia.org/wiki/Spoofed_URL

Disclosure Timeline:
2015-10-27 - Vulnerability reported to vendor
2016-02-19 - CVE-2016-0077
2016-02-19 - Release fix in Microsoft Security Bulletin MS16-009/MS16-011

Reported by:
Kacper Rybczyski (@kacperybczynski)


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.