Reported October 10, 2001, by Microsoft.

VERSIONS AFFECTED

  • Microsoft Internet Explorer 6.0, 5.5, and 5.01

 

DESCRIPTION
Multiple vulnerabilities exist in Microsoft Internet Explorer (IE). The first vulnerability results from IE's improper handling of dotless IP addresses. For example, if an attacker enters an address of http://3473223093 instead of http://207.5.45.181 and formats the request in a particular way, IE uses the intranet zone to open the site rather than the correct Internet zone. This vulnerability doesn't affect IE 6.0.

 

The second vulnerability involves how IE handles URLs that specify third-party sites. By encoding an URL in a particular way, an attacker can include and send HTTP requests to the site after establishing a connection and it will look like a qualified user sent the requests. If exploited against a Web-based service (such as a Web-based mail service), the attacker can take action on the user’s behalf, including sending a request to delete data.

 

The third vulnerability is a new variant of a vulnerability that Microsoft originally reported in Security Bulletin MS01-015. This vulnerability affects how an attacker can use IE to invoke Telnet sessions. By design, users can use IE to launch Telnet sessions, but doing so starts Telnet using any command-line options the Web site specifies. This functionality becomes a concern only when using the Telnet client version that installs as part of Services for UNIX (SFU) 2.0 on Windows 2000 and Windows NT 4.0 machines. This version of the Telnet client provides an option for creating a verbatim transcript of a Telnet session. An attacker can use the logging option to start a Telnet session, and stream an executable file onto the user’s system in a location that automatically executes the file the next time the user boots the machine. The vulnerability doesn't lie in the Telnet client, but in IE, which shouldn't let an attacker start Telnet remotely with command-line arguments.

 

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS01-051 to address this vulnerability and recommends that affected users apply the patch provided. Microsoft will provide an NT 4.0 Terminal Services patch at the same security bulletin when it becomes available.

 

CREDIT
Discovered by Michiel Kikkert (dotless IP vulnerability) and Joao Gouviea (HTTP request encoding vulnerability).