OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Win 2000 & IE 'shell://' problem?
From: Stephen John (spjohnMAIL.UTEXAS.EDU)
Date: Tue May 30 2000 - 15:33:32 CDT

I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol, and when any URL ie "shell://localhost" or just "shell://" is loaded IE crashes and brings explorer.exe down with it. I think this would cause a user who didnt know much to think that Win 2000 had crashed (of course killing the tasks iexplore.exe and explorer.exe then restarting explorer, will solve the problem).

I don't think this is a huge security hole, but being able to crash explorer remotely is a security problem.

This can be exploited via a <A href=shell://somehost>Kill explorer!></A>
or if scripting is on, by embedding a onLoad="window.location='shell://localhost'"
into the body tag.
It takes about 5 seconds to crash IE/explorer, the IE window blinks a few times before the crash. I'm not sure what IE is trying to do here, but it is never sucsessful.

I was able to reproduce this on 2 systems with Win 2000 Professional 5.00.2195, using IE 5.00.2920.0000.
I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not see this behavior.
Also Netscape does not seem to recognize shell:// as a valid protocol.

Could anyone see if this problem is occurs on other version of NT/IE, or maybe is there is a better way to exploit it?

Stephen John
Student University of Texas
Webmaster http://www.securityauditor.com