ASPR #2004-01-20-1: Internet Explorer/Outlook double null character DoS
=====[BEGIN-ACROS-REPORT]=====
PUBLIC
=========================================================================
ACROS Security Problem Report #2004-01-20-1
-------------------------------------------------------------------------
ASPR #2004-01-20-1: Internet Explorer/Outlook double null character DoS
=========================================================================
Document ID: ASPR #2004-01-20-1-PUB
Vendor: Microsoft (http://www.microsoft.com)
Target: Internet Explorer, Outlook, Windows Explorer
Impact: Denial of service for Internet Explorer, Outlook and
Explorer
Severity: Medium
Status: Official patch available, workaround available
Discovered by: Sasa Kos
Current version
http://www.acrossecurity.com/aspr/ASPR-2004-01-20-1-PUB.txt
Summary
=======
For some web servers, two null (%00) characters appended after the host
name cause Internet Explorer or Outlook to consume 100% CPU and freeze.
This issue can be exploited by forcing the user's browser to open a
hostile URL, either by setting up a malicious web site and luring the
user into visiting it or sending a malicious HTML e-mail to a user using
Outlook. Once Internet Explorer or Outlook is frozen, the user must kill
iexplore.exe or outlook.exe process respectively via task manager in order
to resume normal IE/Outlook use.
Product Coverage
================
- Internet Explorer 6 - affected
- Outlook 2002 - affected
- Outlook 2003 - affected
All patches applied, up to and excluding MS04-004 for IE.
Other versions may also be affected.
Analysis
========
There's probably some flawed assumption in the code responsible for
parsing the requested URL, specifically in parsing the host name, that
leads to a dead loop consuming 100% CPU. This issue, however, does not
seem to occur with all host names. Furthermore, we discovered that the
sensitivity to double-null suffix obviously depends on the "Do not save
encrypted pages to disk" option being turned off (which is default).
As far as Outlook is concerned, its susceptibility to this issue is not
surprising, as Outlook is using Internet Explorer's browser object for
rendering HTML e-mail. Outlook 2003 by default prevents remote HTML images
from being displayed due to privacy reasons, which effectively prevents an
e-mail borne attack unless the sender is listed in "safe senders" list.
Our tests have shown that the computer under attack must be connected to
Internet (directly, not via http proxy) in order for this issue to occur.
Finally, once IE or Outlook is frozen, Windows Explorer often freezes as
well, possibly due to calling the same piece of code that is caught in an
endless loop.
Mitigating Factors
==================
1) The issue does not appear when the option "Do not save encrypted pages
to disk" in Internet Options/Advanced is turned on. This option is turned
off by default, however.
2) User's computer must have routed access to internet (as opposed to
access via an HTTP proxy server).
Solution
========
An official patch MS04-004 was released, which fixes this issue. Affected
users can install it via Windows Update or by downloading it from
http://www.microsoft.com/technet/security/bulletin/ms04-004.asp.
Workaround
==========
Users with routed Internet access who can't install the official patch
can turn on the "Do not save encrypted pages to disk" option in Internet
Explorer to neutralize this vulnerability.
Vendor Communication
====================
January 21, 2004: vendor notified about the issue
February 2, 2004: patch MS04-004 released
February 3, 2004: vendor confirmed the issue
February 9, 2004: vendor confirmed the solution
February 9, 2004: vendor reviewed the public report
Acknowledgments
===============
We would like to acknowledge Microsoft Security Response Center for prompt
and professional response to our notification of the identified
vulnerability.
The author would like to acknowledge Mitja Kolsek for help and Aljosa
Ocepek for review and useful suggestions.
Contact
=======
ACROS d.o.o.
Stantetova 4
SI - 2000 Maribor
e-mail: security@xxxxxxxxxxxxxxxxx
web: http://www.acrossecurity.com
phone: +386 2 4200 766
fax: +386 2 4200 767
ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]
ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm
ACROS Security Papers
http://www.acrossecurity.com/papers.htm
ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.
Revision History
================
February 10, 2004: Initial release
Copyright
=========
(c) 2004 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.
=====[END-ACROS-REPORT]=====