RE: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
From: "Eiji James Yoshida" <ptrs-ejy@xxxxxxxxxxxxxx>
Date: Sun, 3 Apr 2005 02:39:54 +0900
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: penetration technique research site

This problem (BugtraqID:7826) was corrected in Windows Server 2003 Service Pack 
1.

Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
http://www.securityfocus.com/archive/1/340666

Microsoft Internet Explorer %USERPROFILE% File Execution Weakness
http://www.securityfocus.com/bid/7826/info/

Regards,
-------------------------------------------------------------
Eiji James Yoshida
penetration technique research site
E-mail: ptrs-ejy@xxxxxxxxxxxxxx
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
-------------------------------------------------------------

> -----Original Message-----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Title:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Windows Server 2003 "Shell Folders" Directory 
> Traversal Vulnerability
> [http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html]
> 
> 
> Date:
> ~~~~~~~~~~~~~~~~~~~~~~~
> 8 October 2003
> 
> 
> Author:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Eiji James Yoshida [ptrs-ejy@xxxxxxxxxxxxxx]
> 
> 
> Vulnerable:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 (Internet Explorer 6.0)
> 
> 
> Overview:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 allows remote attacker to traverse "Shell 
> Folders" directories.
> A remote attacker is able to gain access to the path of the 
> %USERPROFILE% folder without guessing a target user name by this
> vulnerability.
> 
> ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"
> 
> 
> Details:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Windows Server 2003 allows remote attacker to traverse "Shell 
> Folders" directories and access arbitrary files via "shell:[Shell
> Folders]\..\" in a malicious link.
> 
> [Shell Folders]
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex
> plorer\Shell Folders
>  AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
>  Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
>  Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
>  Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
>  NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
>  Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
>  PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
>  Recent: "C:\Documents and Settings\%USERNAME%\Recent"
>  SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
>  Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
>  Templates: "C:\Documents and Settings\%USERNAME%\Templates"
>  Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
>  Startup: "C:\Documents and Settings\%USERNAME%\Start 
> Menu\Programs\Startup"
>  Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
>  Local AppData: "C:\Documents and Settings\%USERNAME%\Local 
> Settings\Application Data"
>  Cache: "C:\Documents and Settings\%USERNAME%\Local 
> Settings\Temporary Internet Files"
>  History: "C:\Documents and Settings\%USERNAME%\Local 
> Settings\History"
>  My Pictures: "C:\Documents and Settings\%USERNAME%\My 
> Documents\My Pictures"
>  Fonts: "C:\WINDOWS\Fonts"
>  My Music: "C:\Documents and Settings\%USERNAME%\My 
> Documents\My Music"
>  My Video: "C:\Documents and Settings\%USERNAME%\My 
> Documents\My Videos"
>  CD Burning: "C:\Documents and Settings\%USERNAME%\Local 
> Settings\Application Data\Microsoft\CD Burning"
>  Administrative Tools: "C:\Documents and 
> Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"
>  
> 
> Exploit code:
> ~~~~~~~~~~~~~~~~~~~~~~~
> **************************************************
> This exploit reads %TEMP%\exploit.html.
> You need to create it.
> And click on the malicious link.
> **************************************************
> 
> Malicious link:
> <a href="shell:cache\..\..\Local 
> Settings\Temp\exploit.html">Exploit</a>
> 
> 
> Workaround:
> ~~~~~~~~~~~~~~~~~~~~~~~
> None.
> 
> 
> Vendor Status:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft was notified on 9 June 2003.
> They plan to fix this bug in a future service pack.
> 
> Microsoft Knowledge Base(KB829493)
> [http://support.microsoft.com/default.aspx?scid=829493]
> 
> 
> Thanks:
> ~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Security Response Center
> Masaki Yamazaki (Japan GTSC Security Response Team)
> Youji Okuten (Japan GTSC Security Response Team)
> 
> 
> Similar vulnerability:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Microsoft Internet Explorer %USERPROFILE% Folder Disclosure 
> Vulnerability
> [http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]
> 
> 
> - -------------------------------------------------------------
> Eiji James Yoshida
> penetration technique research site
> E-mail: ptrs-ejy@xxxxxxxxxxxxxx
> URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
> - -------------------------------------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8ckt
> Comment: Eiji James Yoshida
> 
> iQA/AwUBP4QUUPfWv13kjJq0EQLCUQCfT9cXFH14453XXomssYHHAO/KWMMAoLxH
> YZTkthwnHxD1BW+YxEPzMPaV
> =8/8o
> -----END PGP SIGNATURE-----

Prev by Date: In-game server crash in Call of Duty 1.5b and United Offensive 1.51b
Next by Date: Re: Solaris 10 Containers / Zones Security Flaw
Previous by thread: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
Next by thread: HPUX dtprintinfo buffer overflow vulnerability
Index(es):
- Date
- Thread