RE: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
This problem (BugtraqID:7826) was corrected in Windows Server 2003 Service Pack
1.
Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
http://www.securityfocus.com/archive/1/340666
Microsoft Internet Explorer %USERPROFILE% File Execution Weakness
http://www.securityfocus.com/bid/7826/info/
Regards,
-------------------------------------------------------------
Eiji James Yoshida
penetration technique research site
E-mail: ptrs-ejy@xxxxxxxxxxxxxx
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
-------------------------------------------------------------
> -----Original Message-----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Title:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Windows Server 2003 "Shell Folders" Directory
> Traversal Vulnerability
> [http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html]
>
>
> Date:
> ~~~~~~~~~~~~~~~~~~~~~~~
> 8 October 2003
>
>
> Author:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Eiji James Yoshida [ptrs-ejy@xxxxxxxxxxxxxx]
>
>
> Vulnerable:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 (Internet Explorer 6.0)
>
>
> Overview:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 allows remote attacker to traverse "Shell
> Folders" directories.
> A remote attacker is able to gain access to the path of the
> %USERPROFILE% folder without guessing a target user name by this
> vulnerability.
>
> ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"
>
>
> Details:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 allows remote attacker to traverse "Shell
> Folders" directories and access arbitrary files via "shell:[Shell
> Folders]\..\" in a malicious link.
>
> [Shell Folders]
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex
> plorer\Shell Folders
> AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
> Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
> Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
> Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
> NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
> Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
> PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
> Recent: "C:\Documents and Settings\%USERNAME%\Recent"
> SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
> Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
> Templates: "C:\Documents and Settings\%USERNAME%\Templates"
> Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
> Startup: "C:\Documents and Settings\%USERNAME%\Start
> Menu\Programs\Startup"
> Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
> Local AppData: "C:\Documents and Settings\%USERNAME%\Local
> Settings\Application Data"
> Cache: "C:\Documents and Settings\%USERNAME%\Local
> Settings\Temporary Internet Files"
> History: "C:\Documents and Settings\%USERNAME%\Local
> Settings\History"
> My Pictures: "C:\Documents and Settings\%USERNAME%\My
> Documents\My Pictures"
> Fonts: "C:\WINDOWS\Fonts"
> My Music: "C:\Documents and Settings\%USERNAME%\My
> Documents\My Music"
> My Video: "C:\Documents and Settings\%USERNAME%\My
> Documents\My Videos"
> CD Burning: "C:\Documents and Settings\%USERNAME%\Local
> Settings\Application Data\Microsoft\CD Burning"
> Administrative Tools: "C:\Documents and
> Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"
>
>
> Exploit code:
> ~~~~~~~~~~~~~~~~~~~~~~~
> **************************************************
> This exploit reads %TEMP%\exploit.html.
> You need to create it.
> And click on the malicious link.
> **************************************************
>
> Malicious link:
> <a href="shell:cache\..\..\Local
> Settings\Temp\exploit.html">Exploit</a>
>
>
> Workaround:
> ~~~~~~~~~~~~~~~~~~~~~~~
> None.
>
>
> Vendor Status:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft was notified on 9 June 2003.
> They plan to fix this bug in a future service pack.
>
> Microsoft Knowledge Base(KB829493)
> [http://support.microsoft.com/default.aspx?scid=829493]
>
>
> Thanks:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Security Response Center
> Masaki Yamazaki (Japan GTSC Security Response Team)
> Youji Okuten (Japan GTSC Security Response Team)
>
>
> Similar vulnerability:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Internet Explorer %USERPROFILE% Folder Disclosure
> Vulnerability
> [http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]
>
>
> - -------------------------------------------------------------
> Eiji James Yoshida
> penetration technique research site
> E-mail: ptrs-ejy@xxxxxxxxxxxxxx
> URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
> - -------------------------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8ckt
> Comment: Eiji James Yoshida
>
> iQA/AwUBP4QUUPfWv13kjJq0EQLCUQCfT9cXFH14453XXomssYHHAO/KWMMAoLxH
> YZTkthwnHxD1BW+YxEPzMPaV
> =8/8o
> -----END PGP SIGNATURE-----