Bugtraq mailing list archives
Re: Internet Explorer Bug #4
From: sbirn () NETMEDIA NET IL (Steve Birnbaum)
Date: Sat, 15 Mar 1997 20:44:14 +0200
--==_Exmh_1508530364P Content-Type: text/plain; charset=us-ascii Alain.Thivillon () ALMA FR said:
What saves Win95 is that is does not understand the \\<IP-Address> \SHARE Cifs syntax. But on local network with broadcast name resolution ... And with previous bugs of Internet Explorer, you kown how to add lines to LMHOSTS via Web browser :(
Assuming that someone has patched all the exposed bugs in MSIE and is intelligent enough not to check the box that disables the patch), the problem is getting the hostile Samba server into the browse list of an NT server on the same subnet as the win95 box. Forgetting about finding a way to get someone to sit down on the console of the NT machine and trying to get to your web site, is it possible to spoof a WINS sync to that NT server? Hobbit's paper shows that NT trusts you to be who you say you are when connecting for a CIFS share. I'm curious if there is any more security involved in the case of an NT server that is set up to syncronize WINS tables with other NT servers. Once you can get the IP address of a modified Samba server into the victim's NT server's browse list, I think it would require less effort to find someone with a win95 machine on the victim's network who is willing to go to the hostile web page than a user on the NT's console. If the passwords can be sent cleartext, then you also saved yourself a lot of work. You may even get lucky and find someone with admin access on the NT server. Steve -- Steve Birnbaum - System Administrator, NetMedia. Jerusalem, Israel. sbirn () netmedia net il Phone: +972-2-6795860 --Standard Disclaimer-- "Windows NT: The lusers think it's pretty" - buzz () warbeast com Boycott Internet Spam! http://www.vix.com/spam/ (PGP key available) --==_Exmh_1508530364P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.3ia iQEVAwUBMyrt+wNowu66bCy5AQFq9gf/e4MLUCHSzHjZO8kezH6mJvrNO/SogFsR YsbL/9B18+HvtrvaU1AuWiSqtWiqop1t8L4SbowumJBneoFBZFR1hgbml2AiX83n SgeX6uDwSn7DZhfc61f2d2DmDxw4CHTwvXRNy0ehw7eXDffFJrv58KPp1xu+59pO gFGBSZSeY5Sw5KP9nYnPXofHW+XVyffNlyuGdAlQhUrXdggcldP8NnHhGeFJZVS/ tqFS71zogjRwjMrolacHCzmnhvQ6cWN+HAM17nJe6GUaUsGyCXRQGm7+fOfrY3sP qArcwVBRfI6S9wwT02KcoMvswBfRBAcSiRRjdyzgQ9klu8mQ1dS30w== =0LMt -----END PGP MESSAGE----- --==_Exmh_1508530364P--
Current thread:
- Re: Internet Explorer Bug #4 Dominique Brezinski (Mar 14)
- Re: Internet Explorer Bug #4 Paul (Mar 16)
- bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c Aleph One (Mar 16)
- Re: Internet Explorer Bug #4 Aaron Spangler (Mar 18)
- <Possible follow-ups>
- Re: Internet Explorer Bug #4 Alain Thivillon (Mar 15)
- Re: Internet Explorer Bug #4 Steve Birnbaum (Mar 15)
- Re: Internet Explorer Bug #4 Rubens Kuhl Jr. (Mar 15)
- Re: Internet Explorer Bug #4 Rubens Kuhl Jr. (Mar 15)