lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D523591@pivxwin2k1.secnet.pivx.com>
Date: Thu, 20 May 2004 16:37:19 -0700
From: "Thor Larholm" <thor@...x.com>
To: "roozbeh afrasiabi" <roozbeh_afrasiabi@...oo.com>,
   <bugtraq@...urityfocus.com>
Subject: RE: Internet explorer .clsid vulnerability


This is actually a behavior that is part of Windows Explorer, not
Internet Explorer. I think we have covered this in the past on lists as
well. If it is not already documented somewhere it should be, as this is
how Windows file queries (inside IE) are performed on the local file
system.

Basically, you must first circumvent security zone restrictions and gain
access to execute HTML files from the local file system in the first
place before this is an issue. At this time, it is much more interesting
to use your newly gained privileges to plant an EXE file and execute it
instead of just launching the already installed applications.

When your HTML document is opened from the local file system, it's
working directory is C:\DIR\test.html ( equivelant to the URL
FILE://C:/DIR/test.html ). If you click on a link to "XX" from here or
have it open automatically through an iframe, the browser asks for
FILE://C:/DIR/XX ( "XX" through the FILE protocol from the C:/ host in
the DIR directory ).

In this case, we are asking the browser to retrieve
"FILE://C:/DIR/Roozbeh.{3E9BAF2D-7A79-11d2-9334-0000F875AE17}". IE
queries
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints\C to
see if the Host is known (btw, all temporary NetBIOS sessions are stored
here as integers, my currently open share in the dirty network to
\\someserver\c$ is labelled 6 instead of C). It then checks both HKCU
and HKCR in order for instances of that GUID and eventually finds
"C:\PROGRA~1\NETMEE~1\conf.exe" in
HKCR\CLSID\{3E9BAF2D-7A79-11d2-9334-0000F875AE17}\LocalServer32\(Default
) which it then launches. 

You can see this entire registry brawl at
http://jscript.dk/2004/5/clsid.regmon.log

If you try to test your POC from an Internet or Intranet site you will
see that the browser simply asks for a document on the server and in
return gets a 404 Not Found.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>


-----Original Message-----
From: roozbeh afrasiabi [mailto:roozbeh_afrasiabi@...oo.com] 
Sent: Thursday, May 20, 2004 3:52 PM
To: bugtraq@...urityfocus.com
Subject: Internet explorer .clsid vulnerability
<snip>

<a href=Roozbeh.{3E9BAF2D-7A79-11d2-9334-0000F875AE17}>dose not
exist!</a>

<snip>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ