Date: Чт, 20 янв 2000 20:30:01
От: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Кому: Microsoft Product Security Response Team <secure@microsoft.com>
Тема: Re[10]: MS IE5 + ftp proxy
--------------------------------------------------------------------------------
Hello Microsoft,
few more things...
1. This problem also exists in Outlook Express (javascript isn't
necessary for reproduction, if you need i can compose the message.)
2. All you can do is to press Alt+F4 (it's almost impossible to use
Task Manager or any another GUI app to kill IE) Javascript can be
easily modified to prevent user from closing IE window, for example
with something like
<script>
window.onunload=new Function("open('ie5hang.html');");
</script>
Of cause this problem is not security in the sense of getting some
private information and so long, but it's a kind of unpleasant DoS
attack which probably cause user to logoff (or even reboot) and loose
unsaved job.
Thursday, January 20, 2000, 7:27:44 PM, you wrote:
MPSRT> I guess I should have read this note before answering the previous one.
MPSRT> <g> I think you're right about the other issue -- it should be treated
MPSRT> as a bug, even if it isn't a security vulnerability. I'll file a bug
MPSRT> report with the IE team. Thanks!
MPSRT> -----Original Message-----
MPSRT> From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
MPSRT> Sent: Thursday, January 20, 2000 1:04 AM
MPSRT> To: Microsoft Product Security Response Team
MPSRT> Subject: Re[8]: MS IE5 + ftp proxy
MPSRT> Hello Microsoft,
MPSRT> Thursday, January 20, 2000, 10:02:42 AM, you wrote:
MPSRT> I was trying to use this URL before but i found no reaction, at least
MPSRT> bugs seems to be unpatched. OK. I've reported few bugs and i will send
MPSRT> to you another one I think is security-related since it freezes the
MPSRT> system.
MPSRT>> "report a product bug" in the "Microsoft Products" pull-down.
MPSRT> There's a
MPSRT>> process that ensures that all bugs reported through the web site
MPSRT> go
MPSRT>> straight to the right people on the development teams. Thanks,
MPSRT>> Secure@microsoft.com
MPSRT>> -----Original Message-----
MPSRT>> From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
MPSRT>> Sent: Wednesday, January 19, 2000 5:07 AM
MPSRT>> To: Microsoft Product Security Response Team
MPSRT>> Subject: Re[6]: MS IE5 + ftp proxy
MPSRT>> Hello Microsoft,
MPSRT>> by the way - can you give me direct address of IE team? I can
MPSRT> report
MPSRT>> few bugs unrelated to security.
MPSRT>> Monday, January 17, 2000, 4:32:46 AM, you wrote:
MPSRT>>> Hi -
MPSRT>>> Thanks for the additional information. You're right, this is
MPSRT>> definitely
MPSRT>>> in the realm of "potential bug" rather than security
MPSRT>> vulnerability.
MPSRT>>> Regards,
MPSRT>>> Secure@microsoft.com
MPSRT>>> -----Original Message-----
MPSRT>>> From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
MPSRT>>> Sent: Friday, January 14, 2000 9:57 PM
MPSRT>>> To: Microsoft Product Security Response Team
MPSRT>>> Cc: 'russ@rc.on.ca'
MPSRT>>> Subject: Re[4]: MS IE5 + ftp proxy
MPSRT>>> Hello Microsoft,
MPSRT>>> Friday, January 14, 2000, 6:04:04 PM, you wrote:
MPSRT>>>> Hi -
MPSRT>>> As it was correctly pointed by Michael
MPSRT>> Tannenbaum
MPSRT>>> <miket@ENTERACT.COM> this problem described in KB Q217888:
MPSRT>>> "The FTP Folders feature does not support the following
MPSRT>> functionality:
MPSRT>>> Connecting to the Internet using a CERN proxy server or Web
MPSRT> proxy
MPSRT>>> server."
MPSRT>>> Mike
MPSRT>>> ------------------
MPSRT>>> so this problem is already known to Microsoft KB. But i
MPSRT>> guess IE
MPSRT>>> behavior must be changed - FTP Folders option must not be
MPSRT>> active
MPSRT>>> then FTP proxy is configured. You may count this problem
MPSRT>> as an
MPSRT>>> interface bug (i mean using of proxy must have higher
MPSRT>> priority.
MPSRT>>> Another wish regarding security - it would be better for IE
MPSRT>> to use
MPSRT>>> passive FTP mode by default, or, at least, to have
MPSRT>> configuration
MPSRT>>> option.
MPSRT>>> answer to you questions follows:
MPSRT>>>> I passed the info to the IE team, and they asked whether, on
MPSRT>> your
MPSRT>>> LAN,
MPSRT>>>> you can resolve hosts on the Internet? Also, does your
MPSRT> firewall
MPSRT>>> let DNS
MPSRT>>>> requests through, or do you have an internal server that
MPSRT>>> replicates DNS
MPSRT>>>> data from an external host? Thanks,
MPSRT>>> allow all from (internal network)
MPSRT>>> allow udp from any 53,1024-65534 to DNS 53,1024-65534
MPSRT>>> allow tcp from any 53,1024-65534 to DNS 53,1024-65534
MPSRT>>> allow udp from any to PROXY 1024-65534
MPSRT>>> allow tcp from any to PROXY 1024-65534
MPSRT>>> deny log tcp from any to OFFICE setup
MPSRT>>> allow tcp from any to office 1024-65534
MPSRT>>> deny log ip from any to any
MPSRT>>> in fact it's much more sophisticated, it holds fragmented
MPSRT>> packets
MPSRT>>> correctly, it has some additional rules to avoid addresses
MPSRT>> spoofing,
MPSRT>>> etc. If you need it i will send exact access-list.
MPSRT>>> You can test DNS reachability by simply typing:
MPSRT>>> nslookup - 195.122.226.2
MPSRT>>> That is, answering you question: our firewall allows DNS
MPSRT>> requests
MPSRT>>> through and, as i pointed before, we have no any
MPSRT>> problem. The
MPSRT>>> discussing problem was discovered then i found message in
MPSRT> the
MPSRT>> log,
MPSRT>>> something like:
MPSRT>>> deny tcp from FTPHOST:20 to
MPSRT> OFFICEHOST:[some_unprivileged_port]
MPSRT>>> this message assumed me, that OFFICEHOST is trying to
MPSRT>> connect
MPSRT>>> FTPHOST directly, bypassing PROXY in active ftp mode.
MPSRT>> Easy
MPSRT>>> experiments confirmed this fact.
MPSRT>>> P.S.
MPSRT>>> Sorry for bad English
MPSRT>>> P.P.S
MPSRT>>> I've got a message that 128bit version probably isn't
MPSRT>> affected. But
MPSRT>>> I'm sure the man who wrote it got something wrong - it's
MPSRT>> impossible
MPSRT>>> to use FTP folders with proxy, because in case of proxy
MPSRT>> directory
MPSRT>>> listing is generated by proxy in HTML. It depends on proxy
MPSRT>> type and
MPSRT>>> configuration and it's almost impossible to parse it for
MPSRT>> different
MPSRT>>> representation. All another messages i've got confirmed
MPSRT>> problem.
MPSRT>>> P.P.P.S
MPSRT>>> I guess further details will not be interesting to Russ, so
MPSRT>> may be
MPSRT>>> it's better to remove him from BCC if he is not against.
MPSRT>>>> Secure@microsoft.com
MPSRT>>>> -----Original Message-----
MPSRT>>>> From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
MPSRT>>>> Sent: Wednesday, January 12, 2000 1:12 AM
MPSRT>>>> To: Microsoft Product Security Response Team
MPSRT>>>> Cc: 'russ@rc.on.ca'
MPSRT>>>> Subject: Re[2]: MS IE5 + ftp proxy
MPSRT>>>> Hello Microsoft,
MPSRT>>>> Wednesday, January 12, 2000, 3:39:37 AM, you wrote:
MPSRT>>>>> Hi -
MPSRT>>>>> Wanted to get back in touch and let you know what the status
MPSRT> of
MPSRT>>>> the
MPSRT>>>>> investigation is. This doesn't look like a security
MPSRT>>>> vulnerability,
MPSRT>>>>> because there's no capability for someone to alter or read
MPSRT> data
MPSRT>>>> without
MPSRT>>>> But it makes a risk for people who uses proxy for security
MPSRT>>> reasons,
MPSRT>>>> i.e. to hide their ip's or to access ftp through ipfw.
MPSRT>>>> In any case it's not a big hole since it's solvable.
MPSRT>>>>> permission, usurp administrative control of the machine, or
MPSRT>> deny
MPSRT>>>>> service. However, we would like to evaluate this as a
MPSRT>> potential
MPSRT>>>> bug.
MPSRT>>>>> Would you be willing to provide some data about your DNS
MPSRT>> servers
MPSRT>>>> to help
MPSRT>>>>> the engineers troubleshoot? Thanks,
MPSRT>>>> I use DNS ns.sci-nnov.ru [195.122.226.2] (FreeBSD
MPSRT>> 3.2-RELEASE,
MPSRT>>> bind
MPSRT>>>> 8.1).
MPSRT>>>> But i don't see how this could depend on DNS. It doesn't
MPSRT> meter
MPSRT>>> if i
MPSRT>>>> use ip or host name and it doesn't depend on FTP server - i
MPSRT>> tried
MPSRT>>> few.
MPSRT>>>> Russian version of IE5.0 also has the same bug, option has
MPSRT>>> different
MPSRT>>>> name and action of this option is inverted.
MPSRT>>>> --
MPSRT>>>> Best regards,
MPSRT>>>> 3APA3A
MPSRT>>>> P.S.
MPSRT>>>> MCP, MCP+I, MCSE
MPSRT>>>>> Secure@microsoft.com
MPSRT>>>>> -----Original Message-----
MPSRT>>>>> From: Microsoft Product Security Response Team
MPSRT>>>>> Sent: Monday, January 10, 2000 7:58 PM
MPSRT>>>>> To: '3APA3A'; 'russ@rc.on.ca'
MPSRT>>>>> Subject: RE: MS IE5 + ftp proxy
MPSRT>>>>> Hi -
MPSRT>>>>> Thanks for your note. I'll ask the IE development team to
MPSRT>>>> investigate
MPSRT>>>>> this right away. Regards,
MPSRT>>>>> Secure@microsoft.com
MPSRT>>>>> -----Original Message-----
MPSRT>>>>> From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
MPSRT>>>>> Sent: Monday, January 10, 2000 7:14 AM
MPSRT>>>>> To: Microsoft Product Security Response Team;
MPSRT>>>>> NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
MPSRT>>>>> Subject: MS IE5 + ftp proxy
MPSRT>>>>> Hello,
MPSRT>>>>> Sorry if this problem was noticed before.
MPSRT>>>>> Problem: IE5 doesn't uses proxy for FTP connection if
MPSRT> the
MPSRT>>>> option
MPSRT>>>>> "Enable folder view for FTP sites" is checked. This
MPSRT>>>> option is
MPSRT>>>>> checked by default.
MPSRT>>>>> Configuration: tested in 2 configurations:
MPSRT>>>>> 1. Windows NT 4.0 wrkst + SP5 + IE5.0
MPSRT>>>>> 2. Windows NT 4.0 wrkst + SP6a + IE5.01
MPSRT>>>>> both has a problems.
MPSRT>>>>> There is no problem under SP5 + IE401SP1a
MPSRT>>>>> Description:
MPSRT>>>>> FTP proxy address is set in browser configuration (or
MPSRT>>> option
MPSRT>>>> "use
MPSRT>>>>> one proxy for all protocols" is checked), but IE5 doesn't
MPSRT>>>> uses the
MPSRT>>>>> proxy for data connection, but tries to use direct
MPSRT>>>> connection
MPSRT>>>>> instead. Since IE5 uses active ftp mode and couldn't be
MPSRT>>>> configures
MPSRT>>>>> to use passive (that isn't good) this fact makes
MPSRT>>>> problem for
MPSRT>>>>> firewalling.
MPSRT>>>> --
MPSRT>>>> Best regards,
MPSRT>>>> 3APA3A
MPSRT>>>> Появился новый тип элементарных частиц - шкварки.
MPSRT>>>> Не очень большие, слегка подгоревшие. (Лем)
MPSRT>>> --
MPSRT>>> Best regards,
MPSRT>>> 3APA3A
MPSRT>>> Когда птичка погибает от обжорства, ее нанизывают на вертел.
MPSRT>> (Лем)
MPSRT>> --
MPSRT>> Best regards,
MPSRT>> 3APA3A
MPSRT>> Человек это тайна... я занимаюсь этой тайной чтобы быть
MPSRT> человеком.
MPSRT>> (Достоевский)
MPSRT> --
MPSRT> Best regards,
MPSRT> 3APA3A
MPSRT> Стреляя во второй раз, он искалечил постороннего. Посторонним был я.
MPSRT> (Твен)
--
Best regards,
3APA3A
Вечная память святому Патрику! (Твен)
