Multiple issues in internet explorer/outlook

"John C. Hennessy" <johnh@dawg.net> · Wed, 23 Oct 2002 23:31:08 -0400

John C. Hennessy
Information security analyst
"They that give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety." -- Benjamin Franklin, 1759

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple issues with windows XP. By John C. Hennessy <johnh@dawg.net>
Microsoft was notified 30 days ago as to these problems. Their response 
was that these were not security issues. 

 (-Issue #1-)

 In internet explorer it is possible to use malicious html to cause denial 
 of service.

 Example1 for Windows XP:

 view-source:file://c|/pagefile.sys

 This will cause notepad to open to pagefile.sys if it exists.

 Example2 for Windows XP:

 view-source:http://someip:chargen

 This will cause IE to continuously take up more and more memory as the
 server specified  transmit  a constant stream.

 (-Issue #2-)

 Using malicious html and scripting it is possible to DDoS a target.

 Example1 for Windows XP:

 By injecting the following into a webpage it you can generate a large
 ammount of data to a  target host from visitors internet explorer
 sessions. 

 [IMG src="javascript"for (i = 1; i <= 5000; i++) {
 window.location.replace  ('file:////targetip/')};')"]

 The target will receive a large number connection attempts on port 80. If
 port 80 is open on  the target IE will also attempt to initiate a WebDAV
 session for each request. Resulting in  more traffic to the target.

 Another way to accomplish this is to use the same peice of javascript but 
 use http://targetip: and increment port numbers with the loop.

 (-Issue #4-)

 It is possible to fill someone's outlook express client with "bogus"
 news server accounts

 Example1 for Windows XP:

 news://randomtext

 This will create a news account for "randomtext". This can be looped in
 java script and hiden  in HTML tags. Modification to the javascript above
 can easily accomplish this.

 (-Issue #4-)

 It is possible to create malicious e-mail and force outlook express to
 open it. 
 You'll need the following code to reproduce this
 (http://polaris.dawg.net/~johnh/microsoft/evilnews.c)

 Example1 for Windows XP:

 This basicly pretents to be an NNTP server and feeds an article to
 outlook when requested.
 Enter the following url into internet explorer.

 news://ipofthecode/evilness@thenewsstand

 This will spawn a received email window on the machine. 

- ------------------------------------------------------------------------------------------------
#&DocRev;3#

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPbdpCQlqzZaeb3NpEQLPMACgnmVtRqv4YdJMBnvH77Tyvnked0cAoNxD
SWa3AdB/RwOWot6bJnQWlga0
=elfD
-----END PGP SIGNATURE-----