Re: IE4/5 "file://" buffer overflow

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

Hi! A couple of questions....

First of all, does this happen just by viewing the page, or do
you have to click the link?

If you have to click the link to get it to work, one might
want to look into using:

1. Javascript redirect (document.location="file://AAAAA...")
2. Meta refresh tags
3. DownloadBehaviour?
4. Server Redirects    (Location: file:/AAAAA...);

Having an exploit go off by clicking on a file:// link is bad in
and of itself. Having it go off just by viewing the page/email that
contains the file:// link is the "Good Times"/"Win a vacation" virus
hoax come true.

On a side note:
The server redirect thing would not provide direct execution,
but could be used to to hide the fact that the link you're about
to click is suspicious.

Yum:-P

/Mike

UNYUN wrote:
> Hello
>
> Microsoft Internet Explorer 4/5 overflows when the handling of
> "file://" specification. This overflow occurs when we are logging on to
> the Microsft Network, this overflow can be verified if the long name is
> specfied to the "file://". For example,

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se