Hello!
I believe this vulnerability can be exploited
remotely because a browser like IE can remotely
be redirected to the UNC path or made to open a
file in a UNC path:
The following pieces of code can be in a HTML
page on the web or in a HTML email/newsgroup
message:
<IFRAME
src="\\ip\sharename\......."></IFRAME> or
<IMG src="\\ip\sharename\......."> or
<SCRIPT
src="\\ip\sharename\......."></SCRIPT>
...etc...
Any user that visits the page or reads the
message will locally try to open the page, and
thus allow the vulnerability to be exploited.
TO NSFOCUS: I have tried to reproduce the bug
on my win 2000 system using the above tags in a
HTML page in IE 6.0 but all I got was a 'invalid
pointer' error. Also, I have tried to reply to you
directly but the email bounced. Please give me
some more information on how to produce the
bug so I can do some testing on the remote
exploit or test the scenario explain above yourself.
Kinds regards,
Berend-Jan Wever
(I am replying this late because I'm having trouble
posting to bugtraq through email and finally gave
up and did it online at the site.)
