OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Win 2000 & IE 'shell://' problem?
From: Chris Hall (jslatHOTMAIL.COM)
Date: Wed May 31 2000 - 19:16:18 CDT

I am Running build 2195 (5.0.2195) Default install and doing just
a "shell:" causes IE to Flicker and create a C:\user.dmp but not close
Tried this in Windows explorer, doing just a "shell:", The Results varied,
sometimes it would close generate a user.dmp file, but doing a "shell:\\"
the results were the same as in IE ( except it would close. ) i really don't
know too much about the inards workings of win, but
is strange to say the least.

just my 2 cents.

Chris
>
>Running build 2195 of Win2K Professional with IE 5.00.2920.0000CO and doing
>just "shell://" produced: Explorer has generated errors and is being closed
>by windows and must be restarted, as an error message. However, Explorer
>self restarted with no loss of open documents, or did any application die.
>I did not get the Icon dump reported below.
>
>Running "shell://localhost" produced identical results.
>
>What I found most amusing is that I could only produce a problem if I had
>multiple instances of IE running. If only one instance of IE was running,
>all these commands seemed to do was produce a few seconds of screen
>flicker.
>
>Walter
>
> > -----Original Message-----
> > From: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]On Behalf Of Rob
> > Beneson
> > Sent: Wednesday, May 31, 2000 2:14 AM
> > To: VULN-DEVSECURITYFOCUS.COM
> > Subject: Re: Win 2000 & IE 'shell://' problem?
> >
> >
> > Well, just to let you know, I am running build 2195 (5.0.2195)of Win2k
> > Advanced Server, with IE 5.00.2920.0000 and this didn't crash explorer.
> > Allthough, IE wasn't very happy, and it dumped the icons in my tray, and
> > tried to dump explorer alltogher, but explorer came right back up after
>a
> > second of doubt along with half my tray icons! Go M$!
> > Hope this can add to the info.
> >
> > Rob
> >
> >
> > ----Original Message Follows----
> > From: Stephen John <spjohnMAIL.UTEXAS.EDU>
> > Reply-To: Stephen John <spjohnMAIL.UTEXAS.EDU>
> > To: VULN-DEVSECURITYFOCUS.COM
> > Subject: Win 2000 & IE 'shell://' problem?
> > Date: Tue, 30 May 2000 15:33:32 -0500
> > MIME-Version: 1.0
> > Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id
> > MHotMailBAFDE93C0031D820F3DBCF7E7F44D4060; Tue May 30 22:08:12 2000
> > Received: from lists.securityfocus.com (lists.securityfocus.com
> > [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid
> > 8E87F1F12F; Tue, 30 May 2000 22:02:23 -0700 (PDT)
> > Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
> > (LISTSERV-TCP/IP release 1.8d) with spool id 10474837 for
> > VULN-DEVLISTS.SECURITYFOCUS.COM; Tue, 30 May 2000 22:02:12 -0700
> > Received: from securityfocus.com (mail.securityfocus.com
>[207.126.127.78])
> > by lists.securityfocus.com (Postfix) with SMTP id 622EE1EED8
>for
> > <vuln-devlists.securityfocus.com>; Tue, 30 May 2000 13:37:03
>-0700
> > (PDT)
> > Received: (qmail 9116 invoked by alias); 30 May 2000 20:37:07 -0000
> > Received: (qmail 9113 invoked from network); 30 May 2000 20:37:06 -0000
> > Received: from devmail.dev.tivoli.com (208.230.244.136) by
> > mail.securityfocus.com with SMTP; 30 May 2000 20:37:06 -0000
> > Received: from spjohn1 (spjohn1.dev.tivoli.com [146.84.25.74]) by
> > devmail.dev.tivoli.com (8.9.1/8.8.8) with SMTP id PAA17382 for
> > <vuln-devsecurityfocus.com>; Tue, 30 May 2000 15:37:01 -0500 (CDT)
> > From owner-vuln-devSECURITYFOCUS.COM Tue May 30 22:10:50 2000
> > Approved-By: BlueBoarTHIEVCO.COM
> > Delivered-To: vuln-devlists.securityfocus.com
> > Delivered-To: vuln-devsecurityfocus.com
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook Express 5.00.2919.6700
> > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
> > Message-ID: <001001bfca76$52b63dd0$4a195492dev.tivoli.com>
> > Sender: VULN-DEV List <VULN-DEVSECURITYFOCUS.COM>
> > X-To: vuln-devsecurityfocus.com
> >
> > I found that IE 5 running Win 2000 accepts "shell://" as a legal
>protocol,
> > and when any URL ie "shell://localhost" or just "shell://" is loaded IE
> > crashes and brings explorer.exe down with it. I think this would cause
>a
> > user who didnt know much to think that Win 2000 had crashed (of course
> > killing the tasks iexplore.exe and explorer.exe then restarting
>explorer,
> > will solve the problem).
> >
> > I don't think this is a huge security hole, but being able to
> > crash explorer
> > remotely is a security problem.
> >
> > This can be exploited via a <A
>href=shell://somehost>Kill
> > explorer!></A>
> > or if scripting is on, by embedding a
> > onLoad="window.location='shell://localhost'"
> > into the body tag.
> > It takes about 5 seconds to crash IE/explorer, the IE window blinks a
>few
> > times before the crash. I'm not sure what IE is trying to do here, but
>it
> > is never sucsessful.
> >
> > I was able to reproduce this on 2 systems with Win 2000 Professional
> > 5.00.2195, using IE 5.00.2920.0000.
> > I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did
>not
> > see this behavior.
> > Also Netscape does not seem to recognize shell:// as a valid protocol.
> >
> > Could anyone see if this problem is occurs on other version of NT/IE, or
> > maybe is there is a better way to exploit it?
> >
> >
> > Stephen John
> > Student University of Texas
> > Webmaster http://www.securityauditor.com
> >
> > ________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> >

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com