| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Apr 2 18:39:49 2005 From: ptrs-ejy at bp.iij4u.or.jp (Eiji James Yoshida) Subject: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability This problem was corrected in Windows Server 2003 Service Pack 1. Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html Regards, ------------------------------------------------------------- Eiji James Yoshida penetration technique research site E-mail: ptrs-ejy@...iij4u.or.jp URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm ------------------------------------------------------------- > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > Eiji James Yoshida > Sent: Wednesday, October 08, 2003 10:57 PM > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Microsoft Windows Server 2003 > "Shell Folders" Directory Traversal Vulnerability > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Title: > ~~~~~~~~~~~~~~~~~~~~~~~ > Microsoft Windows Server 2003 "Shell Folders" Directory > Traversal Vulnerability > [http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html] > > > Date: > ~~~~~~~~~~~~~~~~~~~~~~~ > 8 October 2003 > > > Author: > ~~~~~~~~~~~~~~~~~~~~~~~ > Eiji James Yoshida [ptrs-ejy@...iij4u.or.jp] > > > Vulnerable: > ~~~~~~~~~~~~~~~~~~~~~~~ > Windows Server 2003 (Internet Explorer 6.0) > > > Overview: > ~~~~~~~~~~~~~~~~~~~~~~~ > Windows Server 2003 allows remote attacker to traverse "Shell > Folders" directories. > A remote attacker is able to gain access to the path of the > %USERPROFILE% folder without guessing a target user name by this > vulnerability. > > ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%" > > > Details: > ~~~~~~~~~~~~~~~~~~~~~~~ > Windows Server 2003 allows remote attacker to traverse "Shell > Folders" directories and access arbitrary files via "shell:[Shell > Folders]\..\" in a malicious link. > > [Shell Folders] > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex > plorer\Shell Folders > AppData: "C:\Documents and Settings\%USERNAME%\Application Data" > Cookies: "C:\Documents and Settings\%USERNAME%\Cookies" > Desktop: "C:\Documents and Settings\%USERNAME%\Desktop" > Favorites: "C:\Documents and Settings\%USERNAME%\Favorites" > NetHood: "C:\Documents and Settings\%USERNAME%\NetHood" > Personal: "C:\Documents and Settings\%USERNAME%\My Documents" > PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood" > Recent: "C:\Documents and Settings\%USERNAME%\Recent" > SendTo: "C:\Documents and Settings\%USERNAME%\SendTo" > Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu" > Templates: "C:\Documents and Settings\%USERNAME%\Templates" > Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs" > Startup: "C:\Documents and Settings\%USERNAME%\Start > Menu\Programs\Startup" > Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings" > Local AppData: "C:\Documents and Settings\%USERNAME%\Local > Settings\Application Data" > Cache: "C:\Documents and Settings\%USERNAME%\Local > Settings\Temporary Internet Files" > History: "C:\Documents and Settings\%USERNAME%\Local > Settings\History" > My Pictures: "C:\Documents and Settings\%USERNAME%\My > Documents\My Pictures" > Fonts: "C:\WINDOWS\Fonts" > My Music: "C:\Documents and Settings\%USERNAME%\My > Documents\My Music" > My Video: "C:\Documents and Settings\%USERNAME%\My > Documents\My Videos" > CD Burning: "C:\Documents and Settings\%USERNAME%\Local > Settings\Application Data\Microsoft\CD Burning" > Administrative Tools: "C:\Documents and > Settings\%USERNAME%\Start Menu\Programs\Administrative Tools" > > > Exploit code: > ~~~~~~~~~~~~~~~~~~~~~~~ > ************************************************** > This exploit reads %TEMP%\exploit.html. > You need to create it. > And click on the malicious link. > ************************************************** > > Malicious link: > <a href="shell:cache\..\..\Local > Settings\Temp\exploit.html">Exploit</a> > > > Workaround: > ~~~~~~~~~~~~~~~~~~~~~~~ > None. > > > Vendor Status: > ~~~~~~~~~~~~~~~~~~~~~~~ > Microsoft was notified on 9 June 2003. > They plan to fix this bug in a future service pack. > > Microsoft Knowledge Base(KB829493) > [http://support.microsoft.com/default.aspx?scid=829493] > > > Thanks: > ~~~~~~~~~~~~~~~~~~~~~~~ > Microsoft Security Response Center > Masaki Yamazaki (Japan GTSC Security Response Team) > Youji Okuten (Japan GTSC Security Response Team) > > > Similar vulnerability: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Microsoft Internet Explorer %USERPROFILE% Folder Disclosure > Vulnerability > [http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html] > > > - ------------------------------------------------------------- > Eiji James Yoshida > penetration technique research site > E-mail: ptrs-ejy@...iij4u.or.jp > URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm > - ------------------------------------------------------------- > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8ckt > Comment: Eiji James Yoshida > > iQA/AwUBP4QUUPfWv13kjJq0EQLCUQCfT9cXFH14453XXomssYHHAO/KWMMAoLxH > YZTkthwnHxD1BW+YxEPzMPaV > =8/8o > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists