What? I was trying to access my bank’s web page but
instead of the page I was presented with this message. Is the web site down? Nope, doesn’t seem to be. It pings with no problem. I’m firing up the Firefox, and voila – the
web page appears before my eyes. Is
something wrong with the IE? Did I
unknowingly install a rogue browser extension, spyware or adware? The fact that it’s a bank’s site made me
suspicious.
Or is it
just IE8? I’m trying compatibility mode
– nope, the same result. Trying IE8 from
another machine. Works like a charm! This is starting to look very troubling. OK, it’s time for serious investigation.
Perhaps
Autoruns can tell me what’s going on?
It’s a Sysinternals tool. I’m
looking through IE BHO’s, Winsock providers, other stuff that’s in there. Nothing stands out. Everything looks normal.
Perhaps
it’s the anti-virus? Or Vmware network
services? Shutting everything down. Still nothing.
OK, let’s
take a look at what happens at the network level. Launching the Wireshark. Capturing some network packets and what am I
seeing? IE8 sends a DNS query for the
bank’s site. The query resolves OK. Then it establishes the connection: SYN,
SYN+ACK, ACK – so far so good. Then it
sends HTTP GET. And the very next packet
it receives from the site is RST. No
wonder it can’t display the web page!
The site just drops the connection.
I’m
relieved. At least it’s not a spyware.
But why
the hell it drops the connection on IE8 whereas Firefox works just fine? It must be something with the User Agent
string. I’m looking at the string and I
can’t believe how long it is. There’s
all sorts of crap in there:
User-Agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR
2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 1.1.4322; Origami
Experience 1.1; .NET CLR 3.5.21022; Zune 3.0; .NET CLR 3.5.30729; .NET CLR 3
In fact,
it’s so long the IE doesn’t even send the whole string.
Time to
fix it. I quickly find the user agent in
the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\User Agent]
Delete
everything leaving just a single entry for CLR 2 and CLR 3. Restart the IE. And… Tada!
The web page displays correctly.
So the
user agent string was too long for the web server to handle. Maybe it thought I was trying to DoS it? Or better yet, it was running into a buffer
overflow. I don’t know. But it certainly looks like a bad piece of
software that site runs on.
No comments:
Post a Comment