OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-Disclosure] shell:windows command question

From: Andreas Sandblad (sandbladacc.umu.se)
Date: Thu Jul 08 2004 - 03:46:29 CDT


It doesn't seem to affect Windows 2000, only Windows XP.
This is a fault in Mozilla. Why? Because it allows access to a dangerous
protocol from within a non local resource. The Mozilla project should fix
this before anyone creates an exploit to run arbitrary code.

Personally I think the shell: issue should have been reported to the
Mozilla security team before publiced to the masses.

/Andreas Sandblad

On Wed, 7 Jul 2004, Barry Fitzgerald wrote:

> I just verified this in Mozilla 1.7 on Windows XP pro.
>
> (I know -- no reason why it shouldn't work on 1.7 if it worked on firefox)
>
> In any case, it does appear to be an issue with MS Windows and not
> Mozilla, but the Mozilla project should still, IMO, filter out the
> shell: scheme type and other dangerous (but essentially useless on the
> web) scheme types identified in MS Windows. In fact, they should filter
> all out accept for accepted scheme types. Default-closed as opposed to
> default-open.
>
> -Barry
>
>
> Andreas Sandblad wrote:
>
> >This is dangerous. Based on the file extension of the shell protocol
> >different applications may be launched. For example:
> >shell:.its will launch Internet Explorer
> >and shell:.mp3 will launch Winamp.
> >
> >The trick is to find an application that will overflow when given a
> >very long parameter. A quick check showed that a buffer overflow occured
> >within MSProgramGroup (WINDOWS\System32\grpconv.exe) after around 230
> >bytes with the following URL:
> >shell:[x*221].grp
> >EIP can be controled, but exploitation is a bit tricky since parameter is
> >stored as unicode.
> >
> >Also Winamp contains an BO (no unicode here).
> >
> >Tested environment:
> >Windows XP pro + FireFox 0.9.1
> >
> >/Andreas Sandblad
> >
> >On Wed, 7 Jul 2004, Perrymon, Josh L. wrote:
> >
> >
> >
> >>-----snip------
> >>center><br><br><img src="nocigar.gif"></center>
> >><center>
> >><a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe
> >>src="http://windowsupdate.microsoft.com%2F.http-
> >>equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none">
> >>[customise as you see fit]
> >><http://www.malware.com/stockpump.html>
> >>------end----------
> >>The code above has interest to me.
> >>Even in Mozilla the commands below will work.
> >><a href=shell:windows\\system32\\calc.exe>1</a>
> >><a href=shell:windows\system32\calc.exe>2</a>
> >><a href=shell:windows\system32\winver.exe>4</a>
> >>Just save them to an .html file and run it.
> >>The first one with the double quotes was from bugtraq:
> >>Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash
> >><http://seclists.org/lists/bugtraq/2004/Mar/0188.html>
> >>The links below that will run calc as well as winver.
> >>It seems it calls windows as a virtual dir because c:\winxp is what I have.
> >>I have been playing around to see if cmd.exe will work with it but without
> >>luck.
> >>This is what is in the registry.
> >>HKEY_CLASSES_ROOT\Shell
> >>Look in the registry key above. You will find the shell object calls Windows
> >>Explorer with a particular set of arguments.
> >>%SystemRoot%\Explorer.exe /e,/idlist,%I,%L
> >>So this is tied to explorer.exe. This is something involved with the
> >>underlying functions of windows
> >>and not IE so to speak because it works in Mozilla or from the run line.
> >>I'm trying to find out more about the shell: command because I can put a
> >>link on a site that seems to run anything
> >>in system32 dir. I'd like to see if you can pass parameters to it.
> >>
> >>Anyone give me more info on the shell:windows command?
> >>JP
> >>
> >>
> >>Joshua Perrymon
> >>Sr. Network Security Consultant
> >>PGP Fingerprint
> >>51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021
> >>
> >>**********CONFIDENTIALITY NOTICE**********
> >>The information contained in this e-mail may be proprietary and/or
> >>privileged and is intended for the sole use of the individual or
> >>organization named above. If you are not the intended recipient or an
> >>authorized representative of the intended recipient, any review, copying
> >>or distribution of this e-mail and its attachments, if any, is prohibited.
> >>If you have received this e-mail in error, please notify the sender
> >>immediately by return e-mail and delete this message from your system.
> >>
> >>
> >>
> >>_______________________________________________
> >>Full-Disclosure - We believe in it.
> >>Charter: http://lists.netsys.com/full-disclosure-charter.html
> >>
> >>
> >>
> >
> >
> >
>

--
      _ _
    o' \,=./ `o
       (o o)
---ooO--(_)--Ooo---
 Andreas Sandblad
      Sweden

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html