search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer (IE) calls telnet.exe with unsafe command-line arguments ("Telnet Invocation")

Vulnerability Note VU#952611

Original Release Date: 2001-11-29 | Last Revised: 2001-11-29

Overview

A telnet client can be invoked with unsafe options by arbitrary HTML ("web") pages when rendered by affected Microsoft Internet Explorer clients.

Description

This vulnerability is also known as the "telnet logging" or "telnet invocation" or "Microsoft IE Telnet Client File Overwrite" vulnerability. A similar vulnerability was first described in Microsoft Security Bulletin MS01-015.

When vulnerable versions of Internet Explorer render HTML with malicious 'telnet:' tags, the telnet.exe client can be called with unsafe arguments. A telnet option may be specified which directs transcripts or logs of a telnet session to overwrite or create arbitrary files on a victim's system. These files could contain data chosen by an attacker to gain further privileges on a target system.

The telnet package used may be installed as part of the Services for UNIX 2.0 package on computers that are running Windows NT 4.0, Windows 2000, or Windows XP.

Impact

A remote attacker may write files onto the system of a user who either visited a malicious web site or opened malicious HTML-formatted mail.The vulnerability could be used to place a file onto the victim's computer which could then run automatically each time the user logged on (i.e., a file installed in the victim's Start folder can allow arbitrary commands to be executed).

Solution

Apply the patch provided by Microsoft at
http://www.microsoft.com/windows/ie/downloads/critical/q306121/default.asp

Note this patch can only be applied after having upgraded to Internet Explorer 5.5 Service Pack 2 (SP2), Internet Explorer 5.01 SP2, or having applied the patch fixing the original vulnerability, Q28043.

No previous updates are needed to patch and remove this vulnerability in Internet Explorer 6 clients.

Alternately, remove the telnet client installed as part of the "Services for Unix 2.0" package, if installed.

Vendor Information

952611
 

Microsoft Affected

Updated:  November 28, 2001

Status

Affected

Vendor Statement

Please see MS01-051 at:

http://www.microsoft.com/technet/security/bulletin/ms01-051.asp

Systems affected include:

    • Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows 2000
    • Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows 95
    • Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows 98
    • Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows 98 Second Edition
    • Microsoft Internet Explorer versions 5.01 Service Pack 1, 5.5, 5.5 Service Pack 1 for Windows NT 4.0
    • Microsoft Internet Explorer version 6 for Windows 2000
    • Microsoft Internet Explorer version 6 for Windows 98
    • Microsoft Internet Explorer version 6 for Windows 98 Second Edition
    • Microsoft Internet Explorer version 6 for Windows Millennium Edition
    • Microsoft Internet Explorer version 6 for Windows NT 4.0
    • Microsoft Internet Explorer version 6 for Windows XP

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                   ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Malformed Dotless IP Address Can Cause Web Page to be
           Handled in Intranet Zone
Date:       10 October 2001
Software:   Internet Explorer
Impact:     Three vulnerabilities:
- Cause web page to render a web page using inappropriate security
  settings
- Send commands to a third-party web site in the guise of the user
- Create a file on the system of a user who visited a web site.
Bulletin:   MS01-051

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-051.asp.
- ----------------------------------------------------------------------

Issue:
======
This patch eliminates three vulnerabilities affecting Internet
Explorer. The first involves how IE handles URLs that include dotless
IP addresses. If a web site were specified using a dotless IP format
(e.g.,
http://031713501415 rather than http://207.46.131.13), and the
request were malformed in a particular way, IE would not recognize
that the site was an Internet site. Instead, it would treat the site
as an intranet site, and open pages on the site in the Intranet Zone
rather than the correct zone. This would allow the site to run with
fewer security restrictions than appropriate. This vulnerability does
not affect IE 6.

The second involves how IE handles URLs that specify third-party
sites. By encoding an URL in a particular way, it would be possible
for an attacker to include HTTP requests that would be sent to the
site as soon as a connection had been established. These requests
would appear to have originated from the user. In most cases, this
would only allow the attacker to send the user to a site and request
a page on it. However, if exploited against a web-based service
(e.g., a web-based mail service), it could be possible for the
attacker to take action on the user's behalf, including sending a
request to delete data.

The third is a new variant of a vulnerability discussed in Microsoft
Security Bulletin MS01-015, affecting how Telnet sessions are invoked
via IE. By design, telnet sessions can be launched via IE. However, a
vulnerability exists because when doing so, IE will start Telnet
using any command-line options the web site specifies. This only
becomes a concern when using the version of the Telnet client that
installs as part of Services for Unix (SFU) 2.0 on Windows NT(r) 4.0
or Windows(r) 2000 machines. The version of the Telnet client in SFU
2.0 provides an option for creating a verbatim transcript of a Telnet
session. An attacker could start a session using the logging option,
then stream an executable file onto the user's system in a location
that would cause it to be executed automatically the next time the
user booted the machine. The flaw does not lie in the Telnet client,
but in IE, which should not allow Telnet to be started remotely with
command-line arguments.

Mitigating Factors:
====================
Zone Spoofing vulnerability:
- The default settings in the Intranet Zone differ in only a few
  ways from those of the Internet Zone. The differences are
  enumerated in the FAQ, but none would allow destructive action
  to be taken.
HTTP Request Encoding vulnerability:
- In order to exploit this vulnerability successfully, the
  attacker would need to possess significant personal
  information about the victim, such as what web services the
  user subscribed to, folder structures, and so forth.
- Even if the attacker knew the requisite personal information,
  factors outside of the attacker's control (such as whether
  the user was logged onto the service already) could cause the
  user to see prompts and dialogues that would indicate that an
  attack was underway.
- It is unlikely that the vulnerability could be used to target
  large populations; it is likely that it could be used only against
  specific targets.
New variant of Telnet Invocation vulnerability:
- This vulnerability is only a concern for customers who are using
  the Telnet client that ships as part of Services for Unix 2.0.
  No other versions of Telnet contain the command-line feature to
  create log files, including the versions that ship by default
  as part of Windows platforms.

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletin at
 
http://www.microsoft.com/technet/security/bulletin/ms01-051.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- Michiel Kikkert (security@kikkert.nl)
- Joao Gouviea (tharbad@kaotik.org)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBO8TtC40ZSRQxA/UrAQHy0Af+MZN2lTMZ4+pE0uemyAZQjVKW52+L5LkD
nzUEE6pUz5ZSCRNQBxjMUD53FDJYuIuopjp65w/Tc2oAnDbLwq0Zjm9p36egJCbG
y8v6ZwSgG1SSMsM0IBsH651TLvUjbnURpE5h3aMFwtjUH2I/LmBxV2dGMlmZ4xuN
jvNCyulh6o9ES2bxdKCRGznoE1afrbC8FMtaYqVKLRUuhTfQ997Z9wO4cxBSLeKM
owHlkmUpL+bHA+to62F3gL/bIkPoYW2+LTG8GHNewJqsib4TNRW3dI+bFfKNhOap
jCAzSVF8AtM7vTf1vAUMA1FRoJr25Obg2P3ZAiunvG9LTKeqM1/jbA==
=pdOt
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at
http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  
http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at
http://www.microsoft.com/security.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This variant of the IE "Telnet Invocation" vulnerability first discussed in CVE-2001-0150 was discussed in Microsoft Security Bulletin MS01-051.

This document was written by Jeffrey S. Havrilla.

Other Information

CVE IDs: CVE-2001-0667
Severity Metric: 30.38
Date Public: 2001-10-10
Date First Published: 2001-11-29
Date Last Updated: 2001-11-29 22:33 UTC
Document Revision: 43

Sponsored by CISA.