Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: Win 2000 & IE 'shell://' problem?
From: Tobias Paprotta aka friedbits (lamerhqGMX.DE)
Date: Mon May 01 2000 - 13:40:45 CDT

At 15:33 30.05.2000 -0500, Stephen John wrote:
>I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol,
>and when any URL ie "shell://localhost" or just "shell://" is loaded IE
>crashes and brings explorer.exe down with it. I think this would cause a
>user who didnt know much to think that Win 2000 had crashed (of course
>killing the tasks iexplore.exe and explorer.exe then restarting explorer,
>will solve the problem).
>I don't think this is a huge security hole, but being able to crash
>explorer remotely is a security problem.
>This can be exploited via a <A href=shell://somehost>Kill
>or if scripting is on, by embedding
>a onLoad="window.location='shell://localhost'"
>into the body tag.
>It takes about 5 seconds to crash IE/explorer, the IE window blinks a few
>times before the crash. I'm not sure what IE is trying to do here, but it
>is never sucsessful.
>I was able to reproduce this on 2 systems with Win 2000 Professional
>5.00.2195, using IE 5.00.2920.0000.
>I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not
>see this behavior.
>Also Netscape does not seem to recognize shell:// as a valid protocol.
>Could anyone see if this problem is occurs on other version of NT/IE, or
>maybe is there is a better way to exploit it?
>Stephen John
>Student University of Texas
>Webmaster <http://www.securityauditor.com>http://www.securityauditor.com

I have tested this on the German release version on windows 2000 and found
it non-working.
5.00.2920.0000 is the version of IE this was tested on under win2k 5.00.2195.
However the IE accepts the URL and seems to open a few windows and close
them. However I can't reproduce
the crash of IE and explorer here. NT4.0 Server sp5 running IE 5 doesnt
seem to be vurnerable either

Security Consultant - nsc solutions, Germany - www.nsc-solutions.com
-- Use OpenBSD - Security enabled by Default - www.openbsd.org --