NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 2003-q4

Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability

From: Eiji James Yoshida (ptrs-ejyBP.IIJ4U.OR.JP)
Date: Wed Oct 08 2003 - 08:56:47 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html]

Date:
~~~~~~~~~~~~~~~~~~~~~~~
8 October 2003

Author:
~~~~~~~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejybp.iij4u.or.jp]

Vulnerable:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 (Internet Explorer 6.0)

Overview:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories.
A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this
vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"

Details:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories and access arbitrary files via "shell:[Shell
Folders]\..\" in a malicious link.

[Shell Folders]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
Recent: "C:\Documents and Settings\%USERNAME%\Recent"
SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
Templates: "C:\Documents and Settings\%USERNAME%\Templates"
Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
Startup: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
Local AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data"
Cache: "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files"
History: "C:\Documents and Settings\%USERNAME%\Local Settings\History"
My Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My Pictures"
Fonts: "C:\WINDOWS\Fonts"
My Music: "C:\Documents and Settings\%USERNAME%\My Documents\My Music"
My Video: "C:\Documents and Settings\%USERNAME%\My Documents\My Videos"
CD Burning: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\CD Burning"
Administrative Tools: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"

Exploit code:
~~~~~~~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the malicious link.
**************************************************

Malicious link:
<a href="shell:cache\..\..\Local Settings\Temp\exploit.html">Exploit</a>

Workaround:
~~~~~~~~~~~~~~~~~~~~~~~
None.

Vendor Status:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft was notified on 9 June 2003.
They plan to fix this bug in a future service pack.

Microsoft Knowledge Base(KB829493)
[http://support.microsoft.com/default.aspx?scid=829493]

Thanks:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Security Response Center
Masaki Yamazaki (Japan GTSC Security Response Team)
Youji Okuten (Japan GTSC Security Response Team)

Similar vulnerability:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]

- -------------------------------------------------------------
Eiji James Yoshida
penetration technique research site
E-mail: ptrs-ejybp.iij4u.or.jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- -------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBP4QUUPfWv13kjJq0EQLCUQCfT9cXFH14453XXomssYHHAO/KWMMAoLxH
YZTkthwnHxD1BW+YxEPzMPaV
=8/8o
-----END PGP SIGNATURE-----

-----
Want to reply to the person who sent this message?

This list is configured such that just hitting reply is going to result in
the message coming to the list, not to the individual who sent the message.
This was done to help reduce the number of Out of Office messages posters
received. So if you want to send a reply just to the poster, you''ll have to
copy their email address out of the message and place it in your TO: field.
-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]