--Boundary_(ID_BUnokhYfmlvgvnrASlfJWQ)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
Running Windows NT 4.0/sp3 and I.E. 4.0 (4.71.1712.6) 128-bit =
extensions:
res://abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abc=
defghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijkl=
mnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstu=
vwxyz123456abcdefghijklmnopqrstuvwxyz123456abcd/
returns:
/-
Internet Explorer cannot open the internet site ".."=20
The specified module could not be found.
\-
but
res://abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abc=
defghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijkl=
mnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstu=
vwxyz123456abcdefghijklmnopqrstuvwxyz123456abcde/
and longer strings return:
/-
Internet Explorer cannot open the internet site ".."=20
The filename or extension is too long.
\-
looks like a win95 centric bug to me. Note that I didn't try the =
exploit.. :-)
-----Original Message-----
From: DilDog <dildog@L0PHT.COM>
To: BUGTRAQ@NETSPACE.ORG <BUGTRAQ@NETSPACE.ORG>
Date: Monday, November 10, 1997 12:37 PM
Subject: L0pht Advisory: IE4.0
=20
=20
Document: L0pht Security Advisory
URL Origin: http://l0pht.com/advisories.html
Release Date: November 1st, 1997
Application: Microsoft Internet Explorer 4.0 Suite
Severity: Viewing remote HTML content can execute arbitrary =
native code
Author: dildog@l0pht.com
Operating Sys: Windows 95
=20
=3D=3D=3D=3D=3D=3D=3D=3D
Scenario
=3D=3D=3D=3D=3D=3D=3D=3D
=20
The Microsoft Internet Explorer 4.0 Suite, including all programs =
supplied
with it that read and/or process HTML from either local machines, =
intranet
machines, or remote internet machines are subject to a buffer =
overflow in the
HTML decoding process. The buffer overflow can cause the =
application to page
fault, or in the worst case, execute arbitrary precompiled native =
code.
=20
=3D=3D=3D=3D=3D=3D=3D
Example
=3D=3D=3D=3D=3D=3D=3D
=20
1. Copy the supplied HTML file(s) into a location that is =
accessible via the
target application.
2. Point to it. Look at it.
3. Click on the link. (or let someone click it for you)
4. Become aware of what happens to your machine.
5. Freak out and beg Microsoft to make the bad man stop.
=20
The critical problem here is a buffer overflow in the parsing of a =
particular
new type of URL protocol. The "res://" type of URL is meant to =
allow access
to a local resource embedded in a local DLL file. This is useful =
for
archiving entire websites into a DLL and is not, in its truest =
concept, a
security flaw.
=20
For example, to read something out of the IE4.0 Tour (stored in a =
DLL) try
the following URL: res://ie4tour.dll/page1-6.htm
=20
The buffer overflow is on the actual filename specified. To crash =
your
machine go ahead and try res://blahblahblah ... blahblah/ in your =
Internet
Explorer window where the amount of 'blah' equals 265 characters.
=20
The function that goes through the filename and validates it is =
flawed on
Windows 95. Without checking the length, the filename is =
uppercased,
concatenated with '.DLL' if it isn't there already, and in the =
process,
copied into a fixed size buffer.
=20
=3D=3D=3D=3D=3D=3D=3D=3D
Solution
=3D=3D=3D=3D=3D=3D=3D=3D
=20
Currently, there is no solution available for this flaw. You can't =
set any
Internet Explorer options to avoid it, and you are not protected =
by any
level of zone security. Simply don't surf the web, read email or =
view
net news using Internet Explorer 4.0 until Microsoft puts up a =
hotfix.
=20
--Boundary_(ID_BUnokhYfmlvgvnrASlfJWQ)
Content-type: text/html; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
--Boundary_(ID_BUnokhYfmlvgvnrASlfJWQ)-------Original = Message-----= Document: =20 L0pht Security Advisory
From:=20 DilDog <dildog@L0PHT.COM>
To: = BUGTRAQ@NETSPACE.ORG <BUGTRAQ@NETSPACE.ORG>
D= ate:=20 Monday, November 10, 1997 12:37 PM
Subject: L0pht = Advisory:=20 IE4.0
URL Origin: http://l0pht.com/advisories.htm= l
=20 Release Date: November 1st, 1997
= Application: =20 Microsoft Internet Explorer 4.0 = Suite
=20 Severity: Viewing remote HTML content can execute arbitrary = native=20 code
Author: dildog@l0pht.com
Operating = Sys: =20 Windows = 95
=3D=3D=3D=3D=3D=3D=3D=3D
Scenario
=3D=3D=3D=3D=3D=3D=3D=3D=
The=20 Microsoft Internet Explorer 4.0 Suite, including all programs=20 supplied
with it that read and/or process HTML from either = local=20 machines, intranet
machines, or remote internet machines = are=20 subject to a buffer overflow in the
HTML decoding process. = The=20 buffer overflow can cause the application to page
fault, = or in the=20 worst case, execute arbitrary precompiled native=20 = code.
=3D=3D=3D=3D=3D=3D=3D
Example
=3D=3D=3D=3D=3D=3D=3D
1. Copy the=20 supplied HTML file(s) into a location that is accessible via=20 the
target application.
2. = Point to=20 it. Look at it.
3. Click on the link. (or let someone = click it for=20 you)
4. Become aware of what happens to your = machine.
5.=20 Freak out and beg Microsoft to make the bad man stop.
= The=20 critical problem here is a buffer overflow in the parsing of a=20 particular
new type of URL protocol. The = "res://" type=20 of URL is meant to allow access
to a local resource = embedded in a=20 local DLL file. This is useful for
archiving entire = websites into=20 a DLL and is not, in its truest concept, a
security=20 flaw.
For example, to read something out of the IE4.0 = Tour=20 (stored in a DLL) try
the following URL:=20 res://ie4tour.dll/page1-6.htm
The buffer overflow is = on the=20 actual filename specified. To crash your
machine go ahead = and try=20 res://blahblahblah ... blahblah/ in your Internet
Explorer = window=20 where the amount of 'blah' equals 265 characters.
The = function=20 that goes through the filename and validates it is flawed = on
=20 Windows 95. Without checking the length, the filename is=20 uppercased,
concatenated with '.DLL' if it isn't there = already,=20 and in the process,
copied into a fixed size=20 = buffer.
=3D=3D=3D=3D=3D=3D=3D=3D
Solution
=3D=3D=3D=3D=3D=3D= =3D=3D
Currently,=20 there is no solution available for this flaw. You can't set = any
=20 Internet Explorer options to avoid it, and you are not protected by=20 any
level of zone security. Simply don't surf the web, = read email=20 or view
net news using Internet Explorer 4.0 until = Microsoft puts=20 up a hotfix.