copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » ESB-2001.424 -- Microsoft Security Bulletin MS01-051...
 

ESB-2001.424 -- Microsoft Security Bulletin MS01-051 -- Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone
Date: 11 October 2001

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2001.424 -- Microsoft Security Bulletin MS01-051
              Malformed Dotless IP Address Can Cause Web Page
                      to be Handled in Intranet Zone
                              11 October 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Internet Explorer 5.01
                        Internet Explorer 5.5
                        Internet Explorer 6
Vendor:                 Microsoft
Impact:                 Create Arbitrary Files
                        Reduced Security
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Malformed Dotless IP Address Can Cause Web Page to be 
            Handled in Intranet Zone
Date:       10 October 2001
Software:   Internet Explorer
Impact:     Three vulnerabilities:
 - Cause web page to render a web page using inappropriate security 
   settings 
 - Send commands to a third-party web site in the guise of the user
 - Create a file on the system of a user who visited a web site.
Bulletin:   MS01-051

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-051.asp.
- - ----------------------------------------------------------------------

Issue:
======
This patch eliminates three vulnerabilities affecting Internet
Explorer. The first involves how IE handles URLs that include dotless
IP addresses. If a web site were specified using a dotless IP format
(e.g., http://031713501415 rather than http://207.46.131.13), and the
request were malformed in a particular way, IE would not recognize
that the site was an Internet site. Instead, it would treat the site
as an intranet site, and open pages on the site in the Intranet Zone
rather than the correct zone. This would allow the site to run with
fewer security restrictions than appropriate. This vulnerability does
not affect IE 6. 

The second involves how IE handles URLs that specify third-party
sites. By encoding an URL in a particular way, it would be possible
for an attacker to include HTTP requests that would be sent to the
site as soon as a connection had been established. These requests
would appear to have originated from the user. In most cases, this
would only allow the attacker to send the user to a site and request
a page on it. However, if exploited against a web-based service
(e.g., a web-based mail service), it could be possible for the
attacker to take action on the user's behalf, including sending a
request to delete data. 

The third is a new variant of a vulnerability discussed in Microsoft
Security Bulletin MS01-015, affecting how Telnet sessions are invoked
via IE. By design, telnet sessions can be launched via IE. However, a
vulnerability exists because when doing so, IE will start Telnet
using any command-line options the web site specifies. This only
becomes a concern when using the version of the Telnet client that
installs as part of Services for Unix (SFU) 2.0 on Windows NT(r) 4.0
or Windows(r) 2000 machines. The version of the Telnet client in SFU
2.0 provides an option for creating a verbatim transcript of a Telnet
session. An attacker could start a session using the logging option,
then stream an executable file onto the user's system in a location
that would cause it to be executed automatically the next time the
user booted the machine. The flaw does not lie in the Telnet client,
but in IE, which should not allow Telnet to be started remotely with
command-line arguments. 

Mitigating Factors:
====================
Zone Spoofing vulnerability: 
 - The default settings in the Intranet Zone differ in only a few 
   ways from those of the Internet Zone. The differences are 
   enumerated in the FAQ, but none would allow destructive action 
   to be taken. 
HTTP Request Encoding vulnerability: 
 - In order to exploit this vulnerability successfully, the 
   attacker would need to possess significant personal 
   information about the victim, such as what web services the 
   user subscribed to, folder structures, and so forth. 
 - Even if the attacker knew the requisite personal information,
   factors outside of the attacker's control (such as whether 
   the user was logged onto the service already) could cause the
   user to see prompts and dialogues that would indicate that an
   attack was underway. 
 - It is unlikely that the vulnerability could be used to target 
   large populations; it is likely that it could be used only against
   specific targets. 
New variant of Telnet Invocation vulnerability: 
 - This vulnerability is only a concern for customers who are using 
   the Telnet client that ships as part of Services for Unix 2.0. 
   No other versions of Telnet contain the command-line feature to 
   create log files, including the versions that ship by default 
   as part of Windows platforms. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms01-051.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Michiel Kikkert (security@kikkert.nl) 
 - Joao Gouviea (tharbad@kaotik.org) 

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.


- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBO8TtC40ZSRQxA/UrAQHy0Af+MZN2lTMZ4+pE0uemyAZQjVKW52+L5LkD
nzUEE6pUz5ZSCRNQBxjMUD53FDJYuIuopjp65w/Tc2oAnDbLwq0Zjm9p36egJCbG
y8v6ZwSgG1SSMsM0IBsH651TLvUjbnURpE5h3aMFwtjUH2I/LmBxV2dGMlmZ4xuN
jvNCyulh6o9ES2bxdKCRGznoE1afrbC8FMtaYqVKLRUuhTfQ997Z9wO4cxBSLeKM
owHlkmUpL+bHA+to62F3gL/bIkPoYW2+LTG8GHNewJqsib4TNRW3dI+bFfKNhOap
jCAzSVF8AtM7vTf1vAUMA1FRoJr25Obg2P3ZAiunvG9LTKeqM1/jbA==
=pdOt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO8WP8Ch9+71yA2DNAQE0dQQAncLRt0BD+3E1Uw9IzQN2D9yeIN8X3hFI
xSH2zUPZNkFKKoV6aNzSMXyw1dMSEHnJ+Jc3XDGOEIGPa078R9ys1y73pKtq5Wb9
n1+e9Gf2hZ43/Rg9kJAY5SyEYclJpkalJOIGTHyHnBLHNk5/iYg7/w37yWwunryj
KRVpv/xYyrQ=
=uixp
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=1534