Netscape and Outlook are vulnerable to a DoS attack involving bogus news group file entries. Demonstration page here.
2bfc1b097a8fc3f4b77fc5f10820d45099aeff86130c9d05d7dc4017d565e8b4
------=_NextPart_000_0153_01BF7FF9.87FC33E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I created my NewsBug approximately 2-3 months ago but never did =
anything further with it as I have a lot of other projects I am working =
on. I reported this to MS on Feb 17 while attending the W2K launch; but =
haven't heard anything from them since. Basically what it is : a web =
page or an email that when viewed in Outlook (all versions 4.0 and up) =
and Netscape all versions 4.0 and up that have been set up and are the =
default email and news reader. with JavaScript and html view enabled. =
When the web page is viewed it opens up OE or NS and starts making bogus =
news group file entries, it doesn't subscribe to them cause they don't =
exist; but it forces the user to manually delete them. to view a POC go =
to: http://www.zoomnet.net/~quick/error/newsbug.html
During testing in approximately 50% of the time OE would crash before it =
can be stopped, and when OE is opened back up instead of it coming up =
and saying OE wasn't shut down properly and the page is not being showed =
because of possible security concerns, doesn't come up; but instead when =
OE is rebooted it comes back up and starts making them all over again, =
well that is if they have it set with the preview pane option enabled =
and the order of the messages is to show the newest one at the bottom.
For it to work in email it requires an additional file and if you wish =
to see a poc of it used in email then send me an email authorizing me to =
send it to you; because I am not in the habit of sending unsolicited =
malicious code through email.
Fix: NO known fix
Work around: Disable JavaScript
This next one, I am not sure if it is already known or not, it is =
sort of like Georgi Guninskis' word pad code execution but it uses a =
.shs (scrap file). It is possible to create a .shs file that contains =
executable code then when run outside of word, will execute the code =
without opening word. I only mention it because a lot of casual users =
are not familure with the file extension and might run it because the =
icon looks like a text file. this link =
http://www.zoomnet.net/~quick/test/test.shs
is to a file that when run will format the A:\ drive it was created by =
making an .exe in VB5 pro that does the format, compiling the file into =
an .exe file then right clicking the .exe file and choosing copy and =
then opening Word 2K, and right clicking in the document body and =
selecting paste, then saving the word document and then closing word, =
opening word back up and right clicking on the .exe file and selecting =
copy , then closing word, right clicking on the desktop and choosing =
paste, the resulting file is a text scrap test.shs, and if test.shs is =
opened up formats the A:\ drive without opening up word. If they are =
set for double click then double clicking test.shs will format the A:\ =
drive and the same if they are set for single click.
This is the first time I have contacted you. I received a link to =
your page from a friend and they said I should email you and tell you =
about these and other stuff I have created. I am NOT a hacker or =
anything like that , I am however an avid computer enthusiast. I am =
disabled and almost house bound, and in a lot of physical pain. In =
order to take my mind off the pain (which the morphine the doctors give =
me don't do much for the pain) I have found that if I totally absorb my =
mind with the computer I can for short periods of time be almost pain =
free. I have been around computers most of my adult life, and while in =
the military was trained as a 26T20 (television equipment repairman) and =
spent most of my tour in the Army repairing main frame computers. I =
have NO degree in programming or any computer related discipline, but I =
am self taught. =20
Well this is quite a lengthy email and I am sorry for the size of it. I =
hope to hear from you one way or the other about these.
******************************* =20
If at first, you don't succeed;
by all means, try again,
but....
if you don't succeed the second time,
cover up all tracks and pretend it never happened
*******************************
Paul Michael Bryant Sr.
Gladiators=20
1st AVN 57th AHC 1972-73
My Senior Prom was VietNam
*******************************
Fax (603) 388-3801
Dino-Soft Software Inc
http://www.zoomnet.net/~quick
------=_NextPart_000_0153_01BF7FF9.87FC33E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial>
<DIV><FONT face=3DArial> I created my NewsBug=20
approximately 2-3 months ago but never did anything further with it as I =
have a=20
lot of other projects I am working on. I reported this to MS on Feb 17 =
while=20
attending the W2K launch; but haven't heard anything from them=20
since. Basically what it is : a web page or an email =
that when=20
viewed in Outlook (all versions 4.0 and up) and Netscape all versions =
4.0 and up=20
that have been set up and are the default email and news reader. =
with=20
JavaScript and html view enabled. When the web page is viewed it =
opens up=20
OE or NS and starts making bogus news group file entries, it doesn't =
subscribe=20
to them cause they don't exist; but it forces the user to manually =
delete them.=20
to view a POC go to: <A=20
href=3D"http://www.zoomnet.net/~quick/error/newsbug.html">http://www.zoom=
net.net/~quick/error/newsbug.html</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial>During testing in approximately 50% of the time =
OE would=20
crash before it can be stopped, and when OE is opened back up instead of =
it=20
coming up and saying OE wasn't shut down properly and the page is not =
being=20
showed because of possible security concerns, doesn't come up; but =
instead when=20
OE is rebooted it comes back up and starts making them all over again, =
well that=20
is if they have it set with the preview pane option enabled and the =
order of the=20
messages is to show the newest one at the bottom.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial>For it to work in email it requires an =
additional file and=20
if you wish to see a poc of it used in email then send me an email =
authorizing=20
me to send it to you; because I am not in the habit of sending =
unsolicited=20
malicious code through email.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial>Fix: NO known fix</FONT></DIV>
<DIV><FONT face=3DArial>Work around: Disable =
JavaScript</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial> This next one, I am not sure if it =
is already=20
known or not, it is sort of like Georgi Guninskis' word pad code =
execution but=20
it uses a .shs (scrap file). It is possible to create a .shs file =
that=20
contains executable code then when run outside of word, will execute the =
code=20
without opening word. I only mention it because a lot of casual =
users are=20
not familure with the file extension and might run it because the icon =
looks=20
like a text file. this link <A=20
href=3D"http://www.zoomnet.net/~quick/test/test.shs">http://www.zoomnet.n=
et/~quick/test/test.shs</A></FONT></DIV>
<DIV><FONT face=3DArial>is to a file that when run will format the A:\ =
drive it=20
was created by making an .exe in VB5 pro that does the format, compiling =
the=20
file into an .exe file then right clicking the .exe file and choosing =
copy and=20
then opening Word 2K, and right clicking in the document body and =
selecting=20
paste, then saving the word document and then closing word, opening word =
back up=20
and right clicking on the .exe file and selecting copy , then closing =
word,=20
right clicking on the desktop and choosing paste, the resulting file is =
a =20
text scrap test.shs, and if test.shs is opened up formats the A:\ =
drive=20
without opening up word. If they are set for double click then =
double=20
clicking test.shs will format the A:\ drive and the same if they =
are set=20
for single click.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial> This is the first time =
I have=20
contacted you. I received a link to your page from a friend and =
they said=20
I should email you and tell you about these and other stuff I have=20
created. I am NOT a hacker or anything like that , I am =
however an=20
avid computer enthusiast. I am disabled and almost house bound, =
and in a=20
lot of physical pain. In order to take my mind off the pain (which =
the=20
morphine the doctors give me don't do much for the pain) I have found =
that if I=20
totally absorb my mind with the computer I can for short periods of time =
be=20
almost pain free. I have been around computers most of my adult =
life, and=20
while in the military was trained as a 26T20 (television equipment =
repairman)=20
and spent most of my tour in the Army repairing main frame =
computers. I=20
have NO degree in programming or any computer related discipline, but I =
am self=20
taught. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial>Well this is quite a lengthy email and I am =
sorry for the=20
size of it. I hope to hear from you one way or the other =
about=20
these.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial>******************************* <BR>If at =
first, you=20
don't succeed;<BR>by all means, try again,<BR> =
but....<BR>if=20
you don't succeed the second time,<BR>cover up all tracks and pretend it =
never=20
happened<BR>*******************************<BR>Paul Michael Bryant=20
Sr.<BR> Gladiators <BR> 1st AVN =
57th=20
AHC 1972-73<BR>My Senior Prom was=20
VietNam<BR>*******************************<BR> Fax (603)=20
388-3801<BR> Dino-Soft Software Inc<BR> <A=20
href=3D"http://www.zoomnet.net/~quick">http://www.zoomnet.net/~quick</A><=
/FONT></DIV></FONT></DIV></BODY></HTML>
------=_NextPart_000_0153_01BF7FF9.87FC33E0--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed