[27588] in bugtraq
Multiple issues in internet explorer/outlook
daemon@ATHENA.MIT.EDU (John C. Hennessy)
Thu Oct 24 16:17:31 2002
Message-ID: <00aa01c27b0d$ceaa6520$6501a8c0@kibble>
From: "John C. Hennessy" <johnh@dawg.net>
To: <bugtraq@securityfocus.com>
Date: Wed, 23 Oct 2002 23:31:08 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00A3_01C27AEC.43C85C30"
------=_NextPart_000_00A3_01C27AEC.43C85C30
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
John C. Hennessy
Information security analyst
"They that give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety." -- Benjamin Franklin, 1759
------=_NextPart_000_00A3_01C27AEC.43C85C30
Content-Type: text/plain;
name="BL-200202.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="BL-200202.txt"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple issues with windows XP. By John C. Hennessy <johnh@dawg.net>
Microsoft was notified 30 days ago as to these problems. Their response=20
was that these were not security issues.=20
(-Issue #1-)
In internet explorer it is possible to use malicious html to cause =
denial=20
of service.
Example1 for Windows XP:
view-source:file://c|/pagefile.sys
This will cause notepad to open to pagefile.sys if it exists.
Example2 for Windows XP:
view-source:http://someip:chargen
This will cause IE to continuously take up more and more memory as the
server specified transmit a constant stream.
(-Issue #2-)
Using malicious html and scripting it is possible to DDoS a target.
Example1 for Windows XP:
By injecting the following into a webpage it you can generate a large
ammount of data to a target host from visitors internet explorer
sessions.=20
[IMG src=3D"javascript"for (i =3D 1; i <=3D 5000; i++) {
window.location.replace ('file:////targetip/')};')"]
The target will receive a large number connection attempts on port 80. =
If
port 80 is open on the target IE will also attempt to initiate a =
WebDAV
session for each request. Resulting in more traffic to the target.
=20
Another way to accomplish this is to use the same peice of javascript =
but=20
use http://targetip: and increment port numbers with the loop.
(-Issue #4-)
=20
It is possible to fill someone's outlook express client with "bogus"
news server accounts
=20
Example1 for Windows XP:
=20
news://randomtext
=20
This will create a news account for "randomtext". This can be looped in
java script and hiden in HTML tags. Modification to the javascript =
above
can easily accomplish this.
=20
(-Issue #4-)
=20
It is possible to create malicious e-mail and force outlook express to
open it.=20
You'll need the following code to reproduce this
(http://polaris.dawg.net/~johnh/microsoft/evilnews.c)
=20
Example1 for Windows XP:
=20
This basicly pretents to be an NNTP server and feeds an article to
outlook when requested.
Enter the following url into internet explorer.
news://ipofthecode/evilness@thenewsstand
This will spawn a received email window on the machine.=20
- =
-------------------------------------------------------------------------=
-----------------------
#&DocRev;3#
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPbdpCQlqzZaeb3NpEQLPMACgnmVtRqv4YdJMBnvH77Tyvnked0cAoNxD
SWa3AdB/RwOWot6bJnQWlga0
=3DelfD
-----END PGP SIGNATURE-----
------=_NextPart_000_00A3_01C27AEC.43C85C30--
