[25181] in bugtraq
Re: NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request
daemon@ATHENA.MIT.EDU (Berend-Jan Wever)
Fri Apr 19 18:04:49 2002
Date: 19 Apr 2002 17:34:18 -0000
Message-ID: <20020419173418.11059.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Berend-Jan Wever <skylined@edup.tudelft.nl>
To: bugtraq@securityfocus.com
Hello!
I believe this vulnerability can be exploited
remotely because a browser like IE can remotely
be redirected to the UNC path or made to open a
file in a UNC path:
The following pieces of code can be in a HTML
page on the web or in a HTML email/newsgroup
message:
<IFRAME
src="\\ip\sharename\......."></IFRAME> or
<IMG src="\\ip\sharename\......."> or
<SCRIPT
src="\\ip\sharename\......."></SCRIPT>
...etc...
Any user that visits the page or reads the
message will locally try to open the page, and
thus allow the vulnerability to be exploited.
TO NSFOCUS: I have tried to reproduce the bug
on my win 2000 system using the above tags in a
HTML page in IE 6.0 but all I got was a 'invalid
pointer' error. Also, I have tried to reply to you
directly but the email bounced. Please give me
some more information on how to produce the
bug so I can do some testing on the remote
exploit or test the scenario explain above yourself.
Kinds regards,
Berend-Jan Wever
(I am replying this late because I'm having trouble
posting to bugtraq through email and finally gave
up and did it online at the site.)
