Bugtraq mailing list archives

Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express

From: Chad Loder <cloder () acm org>
Date: Fri, 17 May 2002 02:38:16 -0700

At Wednesday 5/15/2002 03:11 PM +0400, you wrote:

Title: Special device access and DoS in Microsoft Internet
       Exporer/Outlook Express/Outlook

All  versions  of  Windows have a reserved filenames referred to special
devices such as prn, aux, nul, etc also called DOS devices.


This might be related to a vulnerability that was reported to Microsoft
on Mar 7 2001. See the BugTraq post:

   http://online.securityfocus.com/archive/1/197926

The META HTTP-EQUIV=REFRESH tag used to do the trick
from Outlook and other email clients using the MS
HTML viewer (e.g. Eudora). Redirecting to file://C:\PRN
was sufficient to hang the browser or email client.

Microsoft assigned the following internal tracking
number to the issue: "MSRC 673au", and fixed it in
MS00-17. Obviously they didn't do a good enough
job, since you guys found a way to print files, etc. :)

Another scary thing is that you can cause the computer to connect
to arbitrary UNC paths, which as you know, involves sending
NetBIOS credentials over the wire (a good reason to use egress
filtering).

+--------------------------------
Chad Loder <chad () rapid7 com>
Rapid 7, Inc.
<http://www.rapid7.com>
+--------------------------------

Current thread:

dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express ERRor (May 15)
- Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express Chad Loder (May 17)
  - Re[2]: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express 3APA3A (May 17)