Bugtraq mailing list archives
Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express
From: Chad Loder <cloder () acm org>
Date: Fri, 17 May 2002 02:38:16 -0700
At Wednesday 5/15/2002 03:11 PM +0400, you wrote:
Title: Special device access and DoS in Microsoft Internet Exporer/Outlook Express/Outlook All versions of Windows have a reserved filenames referred to special devices such as prn, aux, nul, etc also called DOS devices.
This might be related to a vulnerability that was reported to Microsoft on Mar 7 2001. See the BugTraq post: http://online.securityfocus.com/archive/1/197926 The META HTTP-EQUIV=REFRESH tag used to do the trick from Outlook and other email clients using the MS HTML viewer (e.g. Eudora). Redirecting to file://C:\PRN was sufficient to hang the browser or email client. Microsoft assigned the following internal tracking number to the issue: "MSRC 673au", and fixed it in MS00-17. Obviously they didn't do a good enough job, since you guys found a way to print files, etc. :) Another scary thing is that you can cause the computer to connect to arbitrary UNC paths, which as you know, involves sending NetBIOS credentials over the wire (a good reason to use egress filtering). +-------------------------------- Chad Loder <chad () rapid7 com> Rapid 7, Inc. <http://www.rapid7.com> +--------------------------------
Current thread:
- dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express ERRor (May 15)
- Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express Chad Loder (May 17)