RE: Re[2]: Crash IE with shell://:

["Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>]

All,
        That little page I sent seems to kill some systems and not others.
Mainly, SP2 seems to stop this problem from happening. Is there anyone
running 2k SP2 that dies with the shell://:?

        I'd really like to find out what causes this, and what the
difference is between SP1 & 2 (if it _is_ SP2 that fixes it). Bearing in
mind that the gopher one DOES crash SP2, theres obviously something
different, and some significance of "shell://".

        Also, as someone else posted, anyone else have any ideas if this
exploitable any further?


Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company

> -----Original Message-----
> From: Kevin J. Menard, Jr. [mailto:kmenard () WPI EDU]
> Sent: Wednesday, May 23, 2001 6:57 PM
> To: Peter
> Cc: loon () loadedpenguin com; Vuln-Dev
> Subject: Re[2]: Crash IE with shell://:
>
>
> Hey Peter,
>
>     Interestingly, with the "IE Error Reporting" tool, your 
> page degrades
>     gracefully for me.  I mean, it still dies, and I report 
> the error (maybe
>     something will be done someday), but it does it "nicely" 
> I guess.  It's
>     usually the gopher thing that triggers that for me.  But 
> the shell one kills
>     me every time.  My entire task bar disappears and I have 
> to restart explorer
>     (Win2k, sp1, IE 5.50.4522.1800, 128-bit encryption).  And 
> I'm not trying to
>     start a flame war here, but I think you're web page title 
> was rather flawed.
>     Outside of lynx, IE is unfortunately the best browser 
> I've encountered, and
>     I've had far less issues with it than NS or Mozilla.  
> Likewise, I think this
>     shell issue has to do with MS binding IE to the OS, which 
> I do not agree
>     with.
>
>     Later.
>
> -- 
>  Kevin
>
> Wednesday, May 23, 2001, 10:42:07 AM, you wrote:
>
> P> Guys try www.nul.cjb.net
>
> P> That is my site and it tries to exploit just about every 
> NS/IE/Win9x but that will 
> P> make the OS crash [win9x] or IE/NS crash.  Included is 
> this whole gopher thing 
> P> also.  
>
> P> btw, that htm page didn't work for me either, -- did nada.
>
> P> On 05/22/2001 11:31:53 AM, cory is quoted as saying:
>  
>
> P> . . . .|On Tue, 22 May 2001, Kayne Ian (Softlab) 
> transferred the following data:
> P> . . . .|
> . . . .|>> All...
> . . . .|>>       Wrote this little thing in a few spare mins. 
> I'm no use with
> . . . .|>> javascript or webbased coding, so I'm sure there's 
> much more you could do
> . . . .|>> with this. Anyway, attached is a .html that 
> crashes all the machines I
> . . . .|>> tested it on - be prepared to loose explorer.exe 
> if you run it. I guess this
> . . . .|>> is a working exploit/bug (and a really annoying 
> one if it starts appearing
> . . . .|>> on the web), so if someone wants to forward this 
> to the appropriate people
> . . . .|>> (bugtraq? microsoft?) then go for it... Also, if 
> we could narrow down
> . . . .|>> exactly what it takes to fix it in the current 
> versions, that would be good
> . . . .|>> too.
> . . . .|>>
> . . . .|>> enjoy...
> . . . .|>>
> . . . .|>> Ian Kayne
> . . . .|>> Technical Specialist - IT Solutions
> . . . .|>> Softlab Ltd - A BMW Company
> . . . .|>>
> P> . . . .|
> P> . . . .|Tried this against IE 5 ver. 5.00.2614.3500 with 
> little result.
> P> . . . .|The .htm shows up for a few seconds, then you 
> recieve a 404 , with the
> P> . . . .|Address box changing from 
http://blah.com/iecrashtest.htm to just
P> . . . .|/test.htm (strange?). During the change to a 404, a smaller box
appears
P> . . . .|with res://C:\\Windows\System\SHDOCLC.DLL/syntax.htm explaining
that the
P> . . . .|page can not be displayed, possibly because of removal or name
change. It
P> . . . .|then request you do the following:
P> . . . .|        Open the 
P> res://C:\WINDOWS\SYSTEM\SHDOCLC.DLL/syntax.htm#shell://
P> . . . .|        home page, and then look for the links to the information
you
P> . . . .|        want.
P> . . . .|
P> . . . .|Hope that helps
P> . . . .|
P> . . . .|cory



P> www.nul.cjb.net
P> www.FreeBSD.org



P> _________________________________________________________
P> Do You Yahoo!?
P> Get your free @yahoo.com address at http://mail.yahoo.com



******************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480. 

********************************************************************