These are not IE vulnerabilities.
In all, you have described several ways to do some basic ressource
exhaustion by using Internet Explorer as well as an abnomaly in the Apache
server and a possible exploitable buffer overflow in Outlook Express. The
latter is definitely interesting, provided it is exploitable at all, but the
first items are not security vulnerabilities - details below.
MAILTO: links simply open your default mail application, creates a new
message and inserts the address in the To field. Whether or nor MS properly
validates the format of the address is one thing but it is hardly a security
vulnerability in IE. The only net effect of this is that you can insert
arbitrary characters into the To field of an email message, which does not
accomplish anything except ressource exhaustion when you open thousands of
these.
The lack of input validation in the SNEWS: URI simply means that you can add
items to the list of servers in OE. Add a few thousands and we are possibly
talking ressource exhaustion, but these can all be removed again without any
other side effects.
I was not able to disable backspace as you suggested by manually writing a
link in the addressbar and clicking Enter, and even if I could I fail to see
how this is a security vulnerability that could be used for "abusing simple
people".
Requesting a file called "styles" when a "style.css" file exists and having
the contents from "styles.css" returned instead of a "404 Not Found" HTTP
error is not a problem with IE, but a problem with Apache.
Basic packet capturing and analysis will show you that IE is not requesting
"something.css", but requesting "something" as you asked it to and,
incorrectly, receiving "something.css" with incorrect headers from Apache.
When Apache receives a request for "something" and "something.css" exists,
it returns a "Content-Location: $yourRequest.css" header and includes the
content of "something.css" in the response to the client, but incorrectly
fails to include a "Content-Type: text/css" header. The lack of a proper
MIME type for the content is the reason why you get an error box in IE, yet
IE's internal content handler recognizes the CSS in the response from Apache
and opens whichever application you have assigned to handle CSS files - in
your case, Frontpage. IIS does the proper thing and returns a "404 Not
Found" HTTP error.
In your script examples you are calling a method called document.refresh;
there is no refresh method on the document object, rather there is a reload
method on the location object, location.reload(), as well as a Refresh
argument to the execCommand method on the document object,
document.execCommand("Refresh").
Also, the "long report error" with NNTP links is all it is - an error from
Outlook Express that it does not recognize the format. This is not a
vulnerability but simply a message box, which is even what you would like to
have had instead of the lack of input validation on MAILTO and SNEWS.
Personally, I could not reproduce your buffer overflow in OE which should
occur when adding a news server with a long name. Automatically adding
servers to the list of news servers is plain ressource exhaustion, but I
could not find any overflows, exploitable or not, on my OE6 installations.
I reported a similar exploitable buffer overflow in News server names in
Outlook Express to Microsoft about a year ago, but it was only exploitable
once you unsubscribed from the news server. It was since then silently
patched (I didn't get a communication about that) but I guess they just
moved the overflow around (provided others can reproduce your findings).
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
949-231-8496
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>
-----Original Message-----
From: Rafel Ivgi, The-Insider [mailto:theinsider@012.net.il]
Sent: Tuesday, January 20, 2004 1:08 PM
To: bugtraq@securityfocus.com
Subject: Internet Explorer - Multiple Vulnerabilities
Snip
http://www.securityfocus.com/archive/1/350423/2004-01-18/2004-01-24/0
Snip
http://smallurl.com?i=5831
