lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <002001c537aa$f24bf780$6501a8c0@EnSof>
Date: Sat Apr  2 18:39:49 2005
From: ptrs-ejy at bp.iij4u.or.jp (Eiji James Yoshida)
Subject: Microsoft Windows Server 2003 "Shell Folders"
	Directory Traversal Vulnerability

This problem was corrected in Windows Server 2003 Service Pack 1.

Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html

Regards,
-------------------------------------------------------------
Eiji James Yoshida
penetration technique research site
E-mail: ptrs-ejy@...iij4u.or.jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
-------------------------------------------------------------

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Eiji James Yoshida
> Sent: Wednesday, October 08, 2003 10:57 PM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Microsoft Windows Server 2003 
> "Shell Folders" Directory Traversal Vulnerability
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Title:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Windows Server 2003 "Shell Folders" Directory 
> Traversal Vulnerability
> [http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html]
> 
> 
> Date:
> ~~~~~~~~~~~~~~~~~~~~~~~
> 8 October 2003
> 
> 
> Author:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Eiji James Yoshida [ptrs-ejy@...iij4u.or.jp]
> 
> 
> Vulnerable:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 (Internet Explorer 6.0)
> 
> 
> Overview:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 allows remote attacker to traverse "Shell 
> Folders" directories.
> A remote attacker is able to gain access to the path of the 
> %USERPROFILE% folder without guessing a target user name by this
> vulnerability.
> 
> ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"
> 
> 
> Details:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 allows remote attacker to traverse "Shell 
> Folders" directories and access arbitrary files via "shell:[Shell
> Folders]\..\" in a malicious link.
> 
> [Shell Folders]
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex
> plorer\Shell Folders
>  AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
>  Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
>  Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
>  Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
>  NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
>  Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
>  PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
>  Recent: "C:\Documents and Settings\%USERNAME%\Recent"
>  SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
>  Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
>  Templates: "C:\Documents and Settings\%USERNAME%\Templates"
>  Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
>  Startup: "C:\Documents and Settings\%USERNAME%\Start 
> Menu\Programs\Startup"
>  Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
>  Local AppData: "C:\Documents and Settings\%USERNAME%\Local 
> Settings\Application Data"
>  Cache: "C:\Documents and Settings\%USERNAME%\Local 
> Settings\Temporary Internet Files"
>  History: "C:\Documents and Settings\%USERNAME%\Local 
> Settings\History"
>  My Pictures: "C:\Documents and Settings\%USERNAME%\My 
> Documents\My Pictures"
>  Fonts: "C:\WINDOWS\Fonts"
>  My Music: "C:\Documents and Settings\%USERNAME%\My 
> Documents\My Music"
>  My Video: "C:\Documents and Settings\%USERNAME%\My 
> Documents\My Videos"
>  CD Burning: "C:\Documents and Settings\%USERNAME%\Local 
> Settings\Application Data\Microsoft\CD Burning"
>  Administrative Tools: "C:\Documents and 
> Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"
>  
> 
> Exploit code:
> ~~~~~~~~~~~~~~~~~~~~~~~
> **************************************************
> This exploit reads %TEMP%\exploit.html.
> You need to create it.
> And click on the malicious link.
> **************************************************
> 
> Malicious link:
> <a href="shell:cache\..\..\Local 
> Settings\Temp\exploit.html">Exploit</a>
> 
> 
> Workaround:
> ~~~~~~~~~~~~~~~~~~~~~~~
> None.
> 
> 
> Vendor Status:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft was notified on 9 June 2003.
> They plan to fix this bug in a future service pack.
> 
> Microsoft Knowledge Base(KB829493)
> [http://support.microsoft.com/default.aspx?scid=829493]
> 
> 
> Thanks:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Security Response Center
> Masaki Yamazaki (Japan GTSC Security Response Team)
> Youji Okuten (Japan GTSC Security Response Team)
> 
> 
> Similar vulnerability:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Internet Explorer %USERPROFILE% Folder Disclosure 
> Vulnerability
> [http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]
> 
> 
> - -------------------------------------------------------------
> Eiji James Yoshida
> penetration technique research site
> E-mail: ptrs-ejy@...iij4u.or.jp
> URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
> - -------------------------------------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8ckt
> Comment: Eiji James Yoshida
> 
> iQA/AwUBP4QUUPfWv13kjJq0EQLCUQCfT9cXFH14453XXomssYHHAO/KWMMAoLxH
> YZTkthwnHxD1BW+YxEPzMPaV
> =8/8o
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ