Pocket IE Attack Test Page

Note: this will only work in Pocket IE on a Windows Mobile Pocket PC

Pocket IE Attack Overview
There are several weaknesses in Pocket IE that can be used to trick end users into submitting local and/or sensitive data, such as usernames and passwords. The potential for exploiting these vulnerabilities are restricted only by an attacker’s imagination. However, Pocket IE is not as powerful as its big brother, and as such, an attacker is limited in what techniques she can use to launch the attack. For example, Pocket IE has no support for the IFrame tag, which is extremely useful in XSS and browser-based attacks. In addition, Pocket IE does not support every JavaScript command commonly used by attackers. The final example presented below is an attempt to combine these individual flaws into one attack and is only meant to serve as a proof of concept.

Flaw 1: Unicode URL Obsfucation
Severity: Low
This particular attack is not new and has previously plagued PC-based browsers. Pocket IE (Windows Mobile SE 2003) is also vulnerable to this problem. In addition, Pocket IE processes the http protocol in a

<protocol>://user:pass@website format. This itself is not a problem, but when combined with a Unicode URL it can cause confusion and mislead end users.

Example:
http://www.airscanner.com = 69.0.200.106 = %36%39%2E%30%2E%32%30%30%2E%31%30%36

Abuse: http://www.paypal.com&login.rand-%00%01AE67D12EF9090AB933@%36%39%2E%30%2E%32%30%30%2E%31%30%36/
Will take you to http://www.airscanner.com/ not http://www.paypal.com

Flaw 2: Local File Access
Pocket IE will launch local files and either load them into the browser for viewing or launch them using their default program. This includes, but is not limited to, the following file types (these links are subject to OEM variations and may or may not work on your PDA). Click on each file type to test:

Flaw 3: <div> Tag XSS
Severity: Low
Strictly speaking, this is not a flaw. However, it helps provide a vector for attack, so it is worth mentioning. As it turns out, if a local file can be loaded into a framed window in Pocket IE, and this local file contains a named <div></div> section, then that section can be overwritten from a cojoined framed webpage. This is accomplished via JavaScript using 'innerHTML'. With this ability, the loaded local webpage can be overwritten by a loaded remote webpage. This type of attack does not work against webpages loaded from a remote host.

Combination Attack
The following example assumes one thing: that the attacker knows a folder name of the temporary IE store. These folders are randomly named each time a PDA is hard reset. Once set, they will remain as created even if deleted. The proof of concept assumes you know this folder name, or have access to this information. It only takes a second to browse to the '\Windows\Profiles\guest\Temporary Internet Files\Content.IE5' directory to learn these folder names.

This attack will demonstrate how having access to a local file can be a problem. Via URL obfuscation, <div> based XSS, and local file access, this attack will demonstrate how a www.paypal.com username/password information can be captured from an unsuspecting end user. The following steps demonstrate this flaw. All captured information will be emailed to your 'paypal' email address...really, you can trust me.

Clear Pocket IE history, cookie cache, and files (Tools-->Memory in Pocket IE) and reboot device.
Look up www.paypal.com into Pocket IE.
Open File Explorer and go to \Windows\Windows\Profiles\guest\Temporary Internet Files\Content.IE5\ directory and locate file 'paypal[1]'. Note the folder name.
Go to http://www.paypal.com and enter folder name when prompted (you must click this link, this takes you to http://www.airscanner.com/tests/ie_flaw/ie1.htm, not paypal.com).
Let page 'load' and hit 'Yes' for certificate requests.
Enter username and password and submit.

You will be sent to a page that briefly shows you the captured information, and then passed to Paypal.com for actual login. Thats it...but that should be enough.