Bugtraq mailing list archives
Internet Explorer Bug
From: aleph1 () DFW NET (Aleph One)
Date: Mon, 3 Mar 1997 11:14:11 -0600
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. ------------6F5E17BF64191 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.94.970303111313.25374C () dfw dfw net> http://www.cybersnot.com/iebug.html Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ------------6F5E17BF64191 Content-Type: TEXT/HTML; CHARSET=us-ascii; NAME="iebug.html" Content-ID: <Pine.SUN.3.94.970303111313.25374D () dfw dfw net> Content-Description: <!-- FNORD --><!-- FNORD --><!-- FNORD --> <HTML> <HEAD><TITLE>Internet Explorer Bug</TITLE></HEAD> <BODY BGCOLOR=BLACK VLINK=BLUE LINK=BLUE> <TABLE WIDTH=580><TR><TD> <FONT COLOR=WHITE> <I>Cybersnot Industries</I> <FONT COLOR=RED SIZE=5><B>Internet Explorer Bug</B></FONT> <HR> <FONT COLOR=RED><B>Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155))</B></FONT> Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug which allows web page writers to use ".LNK" and ".URL" files to run programs on a remote computer. This bug is particularly damaging because it uses NO ActiveX, and works even when Internet Explorer is set to its highest security level. It was tested on Microsoft Internet Explorer Version 3.0 (4.70.1155) running Windows 95. This demo assumes that Windows is installed in "C:\WINDOWS". Windows 95 DOES NOT PROMPT BEFORE EXECUTING THESE FILES. .URL files are WORSE than .LNK files because .URLs work in both Windows 95 and Windows NT 4.0 (.LNK's only work in Windows 95). .URL files present a possibly greater danger because they can be easily created by server side scripts to meet the specific settings of a user's system. We will provide .URL files for execution in the next day or so. The "shortcuts" can be set to be minimized during execution which means that users may not even be aware that a program has been started. Microsoft's implementation of shortcuts becomes a serious concern if a webpage can tell Internet Explorer to refresh to an executable. Or worse, client side scripts (Java, JavaScript, or VBScript) can use the Explorer object to transfer a BATCH file to the target machine and then META REFRESH to that BATCH file to execute the rogue command in that file. The following table outlines which areas and users each shortcut type effects: <CENTER> <TABLE WIDTH=400 BORDER=1> <TR> <TD><FONT COLOR=WHITE>File Type</FONT></TD> <TD><FONT COLOR=WHITE>Windows 95</FONT></TD> <TD><FONT COLOR=WHITE>Windows NT</FONT></TD> <TD><FONT COLOR=WHITE>Execute Apps</FONT></TD> <TD><FONT COLOR=WHITE>Command Line Args Allowed</FONT></TD> <TD><FONT COLOR=WHITE>Searches Path</FONT></TD> </TR> <TR> <TD><FONT COLOR=WHITE>.LNK</FONT></TD> <TD><FONT COLOR=WHITE>Yes</FONT></TD> <TD><FONT COLOR=WHITE>No</FONT></TD> <TD><FONT COLOR=WHITE>Yes</FONT></TD> <TD><FONT COLOR=WHITE>Yes</FONT></TD> <TD><FONT COLOR=WHITE>No</FONT></TD> </TR> <TR> <TD><FONT COLOR=WHITE>.URL</FONT></TD> <TD><FONT COLOR=WHITE>Yes</FONT></TD> <TD><FONT COLOR=WHITE>Yes</FONT></TD> <TD><FONT COLOR=WHITE>Yes</FONT></TD> <TD><FONT COLOR=WHITE>No</FONT></TD> <TD><FONT COLOR=WHITE>Yes</FONT></TD> </TR> </TABLE> <FONT SIZE=2>Security Comparision .URL vs .LNK</FONT> </CENTER> Naturally, the files must exist on the remote machine to be properly executed. But, Windows 95 comes with a variety of potentially damaging programs which can easily be executed. The following link will start the standard calculator which comes with Windows 95. Windows Calculator (.lnk). Windows Calculator (.url). This bug can be used to wreak havoc on a remote user's machine. The following links will create and delete some directories. Create a directory "C:\HAHAHA". Open "C:\HAHAHA" Remove the directory "C:\HAHAHA" The META REFRESH tag can be used to execute multiple commands in sequence. <HR> <FONT SIZE=2> <FONT COLOR=RED><B>Internet Explorer Bug</B></FONT> Discovered By Paul Greene Page and Examples by Geoffrey Elliott & Brian Morin </TD></TR></TABLE> </BODY> </HTML> <!-- FNORD --><!-- FNORD --><!-- FNORD --> ------------6F5E17BF64191--
Current thread:
- Internet Explorer Bug Aleph One (Mar 03)
- <Possible follow-ups>
- Re: Internet Explorer Bug John Pettitt (Mar 03)
- Re: Internet Explorer Bug Alan Cox (Mar 04)
- Re: Internet Explorer Bug Mikael Pawlo (Mar 05)
- Re: Internet Explorer Bug Alan Cox (Mar 04)