[<prev] [next>] [day] [month] [year] [list]
Message-ID: <82CB183EE984504CB89566128AEE6FD9343B74@is6b>
From: PerrymonJ at bek.com (Perrymon, Josh L.)
Subject: shell:windows command question
After looking more in depth this morning I found IE isn't vulnerable on the
same level Firefox is.
IE will prompt the user to Open / Save before running and Mozilla will just
run the app.
I have played with a lot of .exe's in the /system32 and it seems to call
them without any problems except for cmd.exe.
Not sure if a directory transversal is possible.
I'm going to look more into it today if I have time.
JP
-----Original Message-----
From: Andreas Sandblad [mailto:sandblad@....umu.se]
Sent: Thursday, July 08, 2004 4:17 AM
To: Barry Fitzgerald
Cc: Perrymon, Josh L.; FULL-DISCLOSURE@...ts.netsys.com
Subject: Re: [Full-Disclosure] shell:windows command question
Did some quick search on Bugzilla and came up with the following:
Mozilla allows external protocols as discussed in:
http://bugzilla.mozilla.org/show_bug.cgi?id=167475
They seem to blacklist the following external protocol handlers:
(patch http://bugzilla.mozilla.org/attachment.cgi?id=102263&action=view)
hcp, vbscript, javascript, ms-help, vnd.ms.radio
A simple solution would be to add the shell protocol to this list.
Personally I think a secure blacklist is hard to maintain as new
dangerous external protocols could be invented by third-parties leaving
Mozilla vulnerable again.
/Andreas Sandblad
On Thu, 8 Jul 2004, Andreas Sandblad wrote:
> It doesn't seem to affect Windows 2000, only Windows XP.
> This is a fault in Mozilla. Why? Because it allows access to a dangerous
> protocol from within a non local resource. The Mozilla project should fix
> this before anyone creates an exploit to run arbitrary code.
>
> Personally I think the shell: issue should have been reported to the
> Mozilla security team before publiced to the masses.
>
> /Andreas Sandblad
>
> On Wed, 7 Jul 2004, Barry Fitzgerald wrote:
>
> > I just verified this in Mozilla 1.7 on Windows XP pro.
> >
> > (I know -- no reason why it shouldn't work on 1.7 if it worked on
firefox)
> >
> > In any case, it does appear to be an issue with MS Windows and not
> > Mozilla, but the Mozilla project should still, IMO, filter out the
> > shell: scheme type and other dangerous (but essentially useless on the
> > web) scheme types identified in MS Windows. In fact, they should filter
> > all out accept for accepted scheme types. Default-closed as opposed to
> > default-open.
> >
> > -Barry
> >
> >
> > Andreas Sandblad wrote:
> >
> > >This is dangerous. Based on the file extension of the shell protocol
> > >different applications may be launched. For example:
> > >shell:.its will launch Internet Explorer
> > >and shell:.mp3 will launch Winamp.
> > >
> > >The trick is to find an application that will overflow when given a
> > >very long parameter. A quick check showed that a buffer overflow
occured
> > >within MSProgramGroup (WINDOWS\System32\grpconv.exe) after around 230
> > >bytes with the following URL:
> > >shell:[x*221].grp
> > >EIP can be controled, but exploitation is a bit tricky since parameter
is
> > >stored as unicode.
> > >
> > >Also Winamp contains an BO (no unicode here).
> > >
> > >Tested environment:
> > >Windows XP pro + FireFox 0.9.1
> > >
> > >/Andreas Sandblad
> > >
> > >On Wed, 7 Jul 2004, Perrymon, Josh L. wrote:
> > >
> > >
> > >
> > >>-----snip------
> > >>center><br><br><img src="nocigar.gif"></center>
> > >><center>
> > >><a href="shell:windows\snakeoil.txt">who goes there</a></center>
<iframe
> > >>src="http://windowsupdate.microsoft.com%2F.http-
> > >>equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none">
> > >>[customise as you see fit]
> > >><http://www.malware.com/stockpump.html>
> > >>------end----------
> > >>The code above has interest to me.
> > >>Even in Mozilla the commands below will work.
> > >><a href=shell:windows\\system32\\calc.exe>1</a>
> > >><a href=shell:windows\system32\calc.exe>2</a>
> > >><a href=shell:windows\system32\winver.exe>4</a>
> > >>Just save them to an .html file and run it.
> > >>The first one with the double quotes was from bugtraq:
> > >>Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash
> > >><http://seclists.org/lists/bugtraq/2004/Mar/0188.html>
> > >>The links below that will run calc as well as winver.
> > >>It seems it calls windows as a virtual dir because c:\winxp is what I
have.
> > >>I have been playing around to see if cmd.exe will work with it but
without
> > >>luck.
> > >>This is what is in the registry.
> > >>HKEY_CLASSES_ROOT\Shell
> > >>Look in the registry key above. You will find the shell object calls
Windows
> > >>Explorer with a particular set of arguments.
> > >>%SystemRoot%\Explorer.exe /e,/idlist,%I,%L
> > >>So this is tied to explorer.exe. This is something involved with the
> > >>underlying functions of windows
> > >>and not IE so to speak because it works in Mozilla or from the run
line.
> > >>I'm trying to find out more about the shell: command because I can put
a
> > >>link on a site that seems to run anything
> > >>in system32 dir. I'd like to see if you can pass parameters to it.
> > >>
> > >>Anyone give me more info on the shell:windows command?
> > >>JP
> > >>
> > >>
> > >>Joshua Perrymon
> > >>Sr. Network Security Consultant
> > >>PGP Fingerprint
> > >>51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021
> > >>
> > >>**********CONFIDENTIALITY NOTICE**********
> > >>The information contained in this e-mail may be proprietary and/or
> > >>privileged and is intended for the sole use of the individual or
> > >>organization named above. If you are not the intended recipient or an
> > >>authorized representative of the intended recipient, any review,
copying
> > >>or distribution of this e-mail and its attachments, if any, is
prohibited.
> > >>If you have received this e-mail in error, please notify the sender
> > >>immediately by return e-mail and delete this message from your system.
> > >>
> > >>
> > >>
> > >>_______________________________________________
> > >>Full-Disclosure - We believe in it.
> > >>Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
>
>
--
_ _
o' \,=./ `o
(o o)
---ooO--(_)--Ooo---
Andreas Sandblad
Ume?, Sweden
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists