Re: NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow

[Berend-Jan Wever <skylined () edup tudelft nl>]

Hello!
 
I believe this vulnerability can be exploited 
remotely because a browser like IE can remotely 
be redirected to the UNC path or made to open a 
file in a UNC path:
The following pieces of code can be in a HTML 
page on the web or in a HTML email/newsgroup 
message:
   <IFRAME 
src="\\ip\sharename\......."></IFRAME> or
   <IMG src="\\ip\sharename\......."> or
   &lt;SCRIPT 
src="\\ip\sharename\.......">&lt;/SCRIPT&gt;
    ...etc...
Any user that visits the page or reads the 
message will locally try to open the page, and 
thus allow the vulnerability to be exploited.
 
TO NSFOCUS: I have tried to reproduce the bug 
on my win 2000 system using the above tags in a 
HTML page in IE 6.0 but all I got was a 'invalid 
pointer' error. Also, I have tried to reply to you 
directly but the email bounced. Please give me 
some more information on how to produce the 
bug so I can do some testing on the remote 
exploit or test the scenario explain above yourself.
 
Kinds regards,
 
Berend-Jan Wever

(I am replying this late because I'm having trouble 
posting to bugtraq through email and finally gave 
up and did it online at the site.)