Bugtraq mailing list archives

Re: Internet Explorer Bug #4

From: sbirn () NETMEDIA NET IL (Steve Birnbaum)
Date: Sat, 15 Mar 1997 20:44:14 +0200


--==_Exmh_1508530364P
Content-Type: text/plain; charset=us-ascii


Alain.Thivillon () ALMA FR said:

What saves Win95 is that is does not understand the \\<IP-Address>
\SHARE Cifs syntax. But on local network with broadcast name
resolution ... And with previous bugs of Internet Explorer, you kown
how to add lines to LMHOSTS via Web browser :(


Assuming that someone has patched all the exposed bugs in MSIE and
is intelligent enough not to check the box that disables the patch), the
problem is getting the hostile Samba server into the browse list of an NT
server on the same subnet as the win95 box.

Forgetting about finding a way to get someone to sit down on the console
of the NT machine and trying to get to your web site, is it possible to
spoof a WINS sync to that NT server?  Hobbit's paper shows that
NT trusts you to be who you say you are when connecting for a CIFS share.
I'm curious if there is any more security involved in the case of an NT
server that is set up to syncronize WINS tables with other NT servers.

Once you can get the IP address of a modified Samba server into the
victim's NT server's browse list, I think it would require less effort
to find someone with a win95 machine on the victim's network who is
willing to go to the hostile web page than a user on the NT's console.
If the passwords can be sent cleartext, then you also saved yourself
a lot of work.  You may even get lucky and find someone with admin access
on the NT server.

  Steve


--
Steve Birnbaum - System Administrator, NetMedia. Jerusalem, Israel.
sbirn () netmedia net il  Phone: +972-2-6795860   --Standard Disclaimer--
"Windows NT: The lusers think it's pretty"  - buzz () warbeast com
Boycott Internet Spam! http://www.vix.com/spam/   (PGP key available)



--==_Exmh_1508530364P
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.3ia

iQEVAwUBMyrt+wNowu66bCy5AQFq9gf/e4MLUCHSzHjZO8kezH6mJvrNO/SogFsR
YsbL/9B18+HvtrvaU1AuWiSqtWiqop1t8L4SbowumJBneoFBZFR1hgbml2AiX83n
SgeX6uDwSn7DZhfc61f2d2DmDxw4CHTwvXRNy0ehw7eXDffFJrv58KPp1xu+59pO
gFGBSZSeY5Sw5KP9nYnPXofHW+XVyffNlyuGdAlQhUrXdggcldP8NnHhGeFJZVS/
tqFS71zogjRwjMrolacHCzmnhvQ6cWN+HAM17nJe6GUaUsGyCXRQGm7+fOfrY3sP
qArcwVBRfI6S9wwT02KcoMvswBfRBAcSiRRjdyzgQ9klu8mQ1dS30w==
=0LMt
-----END PGP MESSAGE-----

--==_Exmh_1508530364P--

Current thread:

Re: Internet Explorer Bug #4 Dominique Brezinski (Mar 14)
- Re: Internet Explorer Bug #4 Paul (Mar 16)
- bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c Aleph One (Mar 16)
- Re: Internet Explorer Bug #4 Aaron Spangler (Mar 18)
- <Possible follow-ups>
- Re: Internet Explorer Bug #4 Alain Thivillon (Mar 15)
  - Re: Internet Explorer Bug #4 Steve Birnbaum (Mar 15)
- Re: Internet Explorer Bug #4 Rubens Kuhl Jr. (Mar 15)
- Re: Internet Explorer Bug #4 Rubens Kuhl Jr. (Mar 15)