Bugtraq mailing list archives
Re: Latest IE FIX from MS is a HOAX
From: mhw () WITTSEND COM (Michael H. Warfield)
Date: Tue, 25 Mar 1997 23:10:23 -0500
Aaron Spangler enscribed thusly:
The Latest Internet Explorer Security Patch from Microsoft is a HOAX.
'Fraid not... You just don't understand the problem COMPLETELY.
I just installed the latest Internet Explorer Released by Microsoft Today (IE 3.02 - Mar25). It seems it is still COMPLETELY vulnerable to Bugs #4,#5 released earlier in the month even though it claims to fix them!!!
No. There are two problems which can look like each other. As it is, bugs #4 & #5 can utilize Samba on UNIX/Linux and are NOT dependent on the bugs in IE, it's a different horse with the same colors. There IS a bug in IE, just NOT this one.
Is Microsoft lying when they say it fixes the latest bugs?
Microsoft lies about a LOT of things. This is not one of them. There are TWO problems and BOTH must be fixed. Only one of them is IE. The other is Netbios on TCP/IP and Windows {NT/95}.
Try it our yourself. Download IE 3.02 from MS, and try it on one of the sites
#4 http://www.ee.washington.edu/computing/iebug/ (For NT only) #5 http://www.efsl.com/security/ntie/ (For NT only)
These two web sites each take advantage of THE OTHER PROBLEM! I've used them BOTH in some tests and know exactly how they operate. They are utilizing Netbios on TCP/IP over port 139 to exploit Windows redirects.
I have not even check bug #6 for win95, but it still may be vulnerable. #6 http://www.security.org.il/msnetbreak/ (bug#6 for Win95)
I THINK this is the same as #4 and #5 just a subtle variation. I have not tested this last site like the others, but will... Here is da scoop: There are two problems! 1) Internet Explorer, when talking to a COMPATIBLE (i.e. IIS) server, is capable of performing an SMB challenge response over http. In other words, when Netscape would prompt you for "User Name" and "Password", IE would blithely use your Windows NT / Windows 95 user name and password whether that's what you wanted or not. This operates over port 80 (http). Simple test... If you browse a hostile page, if you are prompted for user name and password, this is the IE bug and you are safe. This bug can NOT use a SAMBA server. It works purely over HTTP and requires an HTTP server which understands the SMB challenge response. Apache and NCSA are just NOT going to cut it here. I have YET to see anyone successfully exploit this one. That's NOT to say it can't be or hasn't been done. It's just a lot tougher and I haven't seen one YET. 2) Netbios exploit... This is the bug exploited by the Samba based servers. If you feed a page with an image link to "file://ip-address/filename", then Windows NT (and with a LITTLE work Windows 95) will attempt an SMB Netbios connection to that IP address over port 139. That server will then challenge your client to provide a user name and password. Windows NT will provide this moderately encrypted (brute force attack works REAL well) but Windows 95 will cough up the user name and password in CLEAR TEXT! This operates over TCP port 139 (netbios session) with an assist from UDP port 137 (netbios name service) for Windows 95. Solution: TOTALLY BLOCK all netbios ports! (UDP and TCP ports 135-139) This is a Windows problem which even Netscape will trip over! If you browse this page and you get BUSTED IMAGES, it is the SECOND problem and you are safe. If you do not get prompted for a user name and password AND you get nice clean images - you're screwed. You failed ONE OR THE OTHER of the vulnerabilities (only takes ONE of the TWO). The FIRST problem is Internet Explorer and Internet Explorer alone. I am unaware of ANY pages currently on the Internet which exploit this vulnerability in the absense of the second vulnerabilty. The second vulnerabilty has virtually identical symptoms but IS NOT restricted to IE. Even Netscape can be bit by this one. This one convinces Windows to establish a netbios redirect to the hostile server. The browser is unaware of what is happening and THINKS it is just asking for a LOCAL file. You CAN NOT fix this problem unless you get the fix for IE AND block all of the Netbios ports! BOTH MUST BE DONE OR NIETHER WILL DO YOU ANY GOOD! Get the update to IE and NOT block Netbios ports and you will THINK the IE fixed didn't do any good! Block the ports and use the buggy IE and you get the SAME IDEA! YA GOTTA FIX'EM BOTH! My NT expert didn't believe this until we did a double blind test using our filtering firewall. Now even he believes. (Cost him a lunch too...:-> Wish I had put some money on it to boot!)
- Aaron
-- Aaron Spangler EE Unix System Administrator Electrical Engineering FT-10 pokee () ee washington edu University of Washington Phone (206) 543-8984 Box 352500 or (206) 543-2523 Seattle, WA 98195-2500 Fax (206) 543-3842
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- buffer over in hp-ux 10.20 kernel C0WZ1LL4 () NETSPACE ORG (Mar 21)
- Re: New Sendmail bug Jeffrey Moyer (Mar 24)
- Re: New Sendmail bug Gonzo Granzeau (Mar 24)
- Re: New Sendmail bug Claude Scarpelli (Mar 25)
- Latest IE FIX from MS is a HOAX Aaron Spangler (Mar 25)
- Re: Latest IE FIX from MS is a HOAX Michael H. Warfield (Mar 25)
- ANNOUNCE : NTCrack v1.0 Jonathan Wilkins (Mar 27)
- There are more loopholes in LPD Patrick Powell (Mar 28)
- symlink bug in tin/rtin NetRunner (Mar 29)
- Re: symlink bug in tin/rtin Nelson Murilo (Mar 29)
- ANNOUNCE : NTCrack v2.0 Jonathan Wilkins (Mar 29)
- Re: New Sendmail bug Gonzo Granzeau (Mar 24)
- more sendmail poop *Hobbit* (Mar 25)
- Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
- minor vulnerability in ELM Dmitry E. Kim (Mar 26)
- FreeBSD-SA-97:02: Buffer overflow in lpd Aleph One (Mar 26)
- Re: New Sendmail bug Jeffrey Moyer (Mar 24)
- Cisco 2509/2511 Albert Siersema (Mar 24)