<html>
<head>
<title>Pocket IE Attack Test Page</title>
</head>

<body>
<p><strong><a href="https://www.airscanner.com"><img src="../../images/logo.jpg" width="161" height="54" border="0"></a></strong></p>
<p><strong>Note: this will only work in Pocket IE on a Windows Mobile Pocket PC</strong></p>
<p><strong>Pocket IE Attack Overview</strong><br>
  There are several weaknesses in Pocket IE that can be used to trick end users 
  into submitting local and/or sensitive data, such as usernames and passwords. 
  The potential for exploiting these vulnerabilities are restricted only by an 
  attacker’s imagination. However, Pocket IE is not as powerful as its big 
  brother, and as such, an attacker is limited in what techniques she can use 
  to launch the attack. For example, Pocket IE has no support for the IFrame tag, 
  which is extremely useful in XSS and browser-based attacks. In addition, Pocket 
  IE does not support every JavaScript command commonly used by attackers. The 
  final example presented below is an attempt to combine these individual flaws 
  into one attack and is only meant to serve as a proof of concept. </p>
<p><strong>Flaw 1: Unicode URL Obsfucation</strong><br>
  Severity: Low<br>
  This particular attack is not new and has previously plagued PC-based browsers. 
  Pocket IE (Windows Mobile SE 2003) is also vulnerable to this problem. In addition, 
  Pocket IE processes the http protocol in a </p>
<protocol>://user:pass@website format. This itself is not a problem, but 
when combined with a Unicode URL it can cause confusion and mislead end users.<br>
  <br>
  Example: <br>
  https://www.airscanner.com = 69.0.200.106 = %36%39%2E%30%2E%32%30%30%2E%31%30%36<br>
  <br>
  Abuse: https://www.paypal.com&login.rand-%00%01AE67D12EF9090AB933@%36%39%2E%30%2E%32%30%30%2E%31%30%36/<br>
  Will take you to https://www.airscanner.com/ not https://www.paypal.com<br>
<strong><br>
Flaw 2: Local File Access</strong><br>
Pocket IE will launch local files and either load them into the browser for viewing 
or launch them using their default program. This includes, but is not limited 
to, the following file types (these links are subject to OEM variations and may 
or may not work on your PDA). Click on each file type to test: 
<ul>
  <li><a href="file://\windows\VehicleML.pxt')"><u>xls</u></a></li>
  <li> <a href="file://\windows\clndr.htm"><u>htc & htp (in IE)</u></a></li>
  <li> <a href="file://\windows\Backlight.cpl')"><u>cpl items</u></a></li>
  <li> <a href="file://\windows\initdb.ini')"><u>ini files (in IE)</u></a></li>
  <li> <a href="file://\windows\Win_Start.2bp')"><u>2bp images (in IE)</u></a></li>
  <li> <a href="file://\windows\StartUp')"><u>go to any folder</u></a></li>
  <li> <a href="file://\%00')"><u>go to 00 (root) folder</u></a></li>
</ul>
<p><strong>Flaw 3: <div> Tag XSS</strong><br>
  Severity: Low<br>
  Strictly speaking, this is not a flaw. However, it helps provide a vector for 
  attack, so it is worth mentioning. As it turns out, if a local file can be loaded 
  into a framed window in Pocket IE, and this local file contains a named <div></div> 
  section, then that section can be overwritten from a cojoined framed webpage. 
  This is accomplished via JavaScript using 'innerHTML'. With this ability, the 
  loaded local webpage can be overwritten by a loaded remote webpage. This type 
  of attack does not work against webpages loaded from a remote host.</p>
<p><strong>Combination Attack</strong><br>
  The following example assumes one thing: that the attacker knows a folder name 
  of the temporary IE store. These folders are randomly named each time a PDA 
  is hard reset. Once set, they will remain as created even if deleted. The proof 
  of concept assumes you know this folder name, or have access to this information. 
  It only takes a second to browse to the '\Windows\Profiles\guest\Temporary Internet 
  Files\Content.IE5' directory to learn these folder names.</p>
<p>This attack will demonstrate how having access to a local file can be a problem. 
  Via URL obfuscation, <div> based XSS, and local file access, this attack 
  will demonstrate how a www.paypal.com username/password information can be captured 
  from an unsuspecting end user. The following steps demonstrate this flaw. All 
  captured information will be emailed to your 'paypal' email address...really, 
  you can trust me. </p>
<ol>
  <li>Clear Pocket IE history, cookie cache, and files (Tools-->Memory in Pocket 
    IE) and reboot device.</li>
  <li> Look up www.paypal.com into Pocket IE.</li>
  <li> Open File Explorer and go to \Windows\Windows\Profiles\guest\Temporary 
    Internet Files\Content.IE5\ directory and locate file 'paypal[1]'. Note the 
    folder name.</li>
  <li> Go to <a href="https://www.paypal.com&login.rand-%00%01AE67D12EF9090AB933@%36%39%2E%30%2E%32%30%30%2E%31%30%36/tests/ie_flaw/ie1.htm">https://www.paypal.com</a> 
    and enter folder name when prompted (you must click this link, this takes 
    you to https://www.airscanner.com/tests/ie_flaw/ie1.htm, not paypal.com).</li>
  <li> Let page 'load' and hit 'Yes' for certificate requests.</li>
  <li>Enter username and password and submit.</li>
</ol>
<p>You will be sent to a page that briefly shows you the captured information, 
  and then passed to Paypal.com for actual login. Thats it...but that should be 
  enough.</p>
<p>We have notified Microsoft of this flaw.<br>
  Credit: Seth Fogie Jan 22, 2005<br>
  &copy; 2005 <a href="https://www.airscanner.com">Airscanner Corp</a>. <br>
</p>
<p><br>
</p>
</body>
</html>