~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Internet Explorer & Explorer.exe
Vendors: http://www.microsoft.com
Versions: Windows Xp Professional & Internet Explorer
6.0.2600.0000.xpclnt_qfe.021108-2107
Patched With: Q330994; Q822925; Q828750; Q824145;
Platforms: WindowsXp
Bug: Internet Explorer Causing Explorer.exe - Null Pointer
Crash
Risk: Medium - D.O.S
Exploitation: Remote with browser
Date: 19 Mar 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
WindowsXp is currently the most common operating system in the world.
This product must be as safe as it is common.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Lately a new function was discovered : "shell:". This function allows
running some
new functions remotley. There is a bug in Explorer.exe when accessing a
filename
with double backslash.
For Example accessing any of the html tags below, will cause explorer to
crash.
Or
Or
Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe
Explorer.exe crashes when using "\\".
"\" doesn't crash it and even %5C%5C doesn't crash it.
There is a registery key which is turned on by default. This key
automatically restarts
"Explorer.exe". If this key is set to "0", Explorer.exe will not restart.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
Or
Or
Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."