Re: dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express

At Wednesday 5/15/2002 03:11 PM +0400, you wrote:

> Title: Special device access and DoS in Microsoft Internet
> Exporer/Outlook Express/Outlook
>
> All versions of Windows have a reserved filenames referred to special
> devices such as prn, aux, nul, etc also called DOS devices.

This might be related to a vulnerability that was reported to Microsoft
on Mar 7 2001. See the BugTraq post:

http://online.securityfocus.com/archive/1/197926

The META HTTP-EQUIV=REFRESH tag used to do the trick
from Outlook and other email clients using the MS
HTML viewer (e.g. Eudora). Redirecting to file://C:\PRN
was sufficient to hang the browser or email client.

Microsoft assigned the following internal tracking
number to the issue: "MSRC 673au", and fixed it in
MS00-17. Obviously they didn't do a good enough
job, since you guys found a way to print files, etc. :)

Another scary thing is that you can cause the computer to connect
to arbitrary UNC paths, which as you know, involves sending
NetBIOS credentials over the wire (a good reason to use egress
filtering).

±-------------------------------
Chad Loder <[email protected]>
Rapid 7, Inc.
<http://www.rapid7.com>
±-------------------------------