what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

msiebug.htm

msiebug.htm
Posted Aug 17, 1999

No information is available for this file.

tags | paper
SHA-256 | f9078f223b7f4074cf2fe690119f78973d08d9386fe98264a85c2cc5ae795a2d
Download | Favorite | View

msiebug.htm

Change Mirror Download
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.SUN.3.94.970303111313.25374C@dfw.dfw.net>

http://www.cybersnot.com/iebug.html

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Content-Type: TEXT/HTML; CHARSET=us-ascii; NAME="iebug.html"
Content-ID: <Pine.SUN.3.94.970303111313.25374D@dfw.dfw.net>
Content-Description:

<!-- FNORD --><!-- FNORD --><!-- FNORD -->
<HTML>
<HEAD><TITLE>Internet Explorer Bug</TITLE></HEAD>
<BODY BGCOLOR=BLACK VLINK=BLUE LINK=BLUE>
<TABLE WIDTH=580><TR><TD>
<FONT COLOR=WHITE>
<I>Cybersnot Industries</I><BR>
<FONT COLOR=RED SIZE=5><B>Internet Explorer Bug</B></FONT><BR>

<HR>
<BR>
<BR>
<FONT COLOR=RED><B>Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155))</B></FONT><BR>
Microsoft Internet Explorer v3.01 (and earlier?) has a serious
bug which allows web page writers to use ".LNK" and ".URL" files
to run programs on a remote computer.  This bug is particularly damaging
because it uses NO ActiveX, and works even when Internet Explorer is set
to its highest security level.  It was tested on Microsoft Internet Explorer
Version 3.0 (4.70.1155) running Windows 95.  This demo assumes that Windows
is installed in "C:\WINDOWS".  Windows 95 DOES NOT PROMPT BEFORE EXECUTING
THESE FILES.
<P>
.URL files are WORSE than .LNK files because .URLs work in both Windows 95 and
Windows NT 4.0 (.LNK's only work in Windows 95).  .URL files present a possibly
greater danger because they can be easily created by server side scripts to meet
the specific settings of a user's system.  We will provide .URL files for
execution in the next day or so.
<P>
The "shortcuts" can be set to be minimized during execution which means that users may
not even be aware that a program has been started.  Microsoft's implementation of
shortcuts becomes a serious concern if a webpage can tell Internet Explorer to refresh
to an executable.  Or worse, client side scripts (Java, JavaScript, or VBScript) can
use the Explorer object to transfer a BATCH file to the target machine and then META
REFRESH to that BATCH file to execute the rogue command in that file.
<P>
The following table outlines which areas and users each shortcut type effects:<BR>
<CENTER>
<TABLE WIDTH=400 BORDER=1>
<TR>
        <TD><FONT COLOR=WHITE>File Type</FONT></TD>
        <TD><FONT COLOR=WHITE>Windows 95</FONT></TD>
        <TD><FONT COLOR=WHITE>Windows NT</FONT></TD>
        <TD><FONT COLOR=WHITE>Execute Apps</FONT></TD>
        <TD><FONT COLOR=WHITE>Command Line Args Allowed</FONT></TD>
        <TD><FONT COLOR=WHITE>Searches Path</FONT></TD>
</TR>
<TR>
        <TD><FONT COLOR=WHITE>.LNK</FONT></TD>
        <TD><FONT COLOR=WHITE>Yes</FONT></TD>
        <TD><FONT COLOR=WHITE>No</FONT></TD>
        <TD><FONT COLOR=WHITE>Yes</FONT></TD>
        <TD><FONT COLOR=WHITE>Yes</FONT></TD>
        <TD><FONT COLOR=WHITE>No</FONT></TD>
</TR>
<TR>
        <TD><FONT COLOR=WHITE>.URL</FONT></TD>
        <TD><FONT COLOR=WHITE>Yes</FONT></TD>
        <TD><FONT COLOR=WHITE>Yes</FONT></TD>
        <TD><FONT COLOR=WHITE>Yes</FONT></TD>
        <TD><FONT COLOR=WHITE>No</FONT></TD>
        <TD><FONT COLOR=WHITE>Yes</FONT></TD>
</TR>
</TABLE>
<FONT SIZE=2>Security Comparision .URL vs .LNK</FONT>
</CENTER>
<P>
Naturally, the files must exist on the remote machine to be
properly executed.  But, Windows 95 comes with a variety of potentially
damaging programs which can easily be executed.  The following link will
start the standard calculator which comes with Windows 95.
<P>
<A HREF="calculator.lnk">Windows Calculator (.lnk)</A>.<BR>
<A HREF="calcnt.url">Windows Calculator (.url)</A>.
<P>
This bug can be used to wreak havoc on a remote user's machine.  The
following links will create and delete some directories.
<P>
<A HREF="mkdir.lnk">Create a directory "C:\HAHAHA"</A>.<BR>
<A HREF="explorer.lnk">Open "C:\HAHAHA"</A><BR>
<A HREF="rmdir.lnk">Remove the directory "C:\HAHAHA"</A><BR>
<P>
The META REFRESH tag can be used to execute multiple commands in sequence.
<P>
<BR>
<HR>
<FONT SIZE=2>
<FONT COLOR=RED><B>Internet Explorer Bug</B></FONT><BR>
Discovered By <A HREF="mailto:shoggothe@cybersnot.com">Paul Greene</A><BR>
Page and Examples by <A HREF="mailto:geo@cybersnot.com">Geoffrey Elliott</A>
& <A HREF="mailto:bmorin@cybersnot.com">Brian Morin</A><BR>
</TD></TR></TABLE>
</BODY>
</HTML>
<!-- FNORD --><!-- FNORD --><!-- FNORD -->
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close