[news] *malas noticias* Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability

09/10/2003 - 15:23 por JM Tella Llop [MS MVP] · | Informe spam
** Salio publicado ayer. No está muy claro, si está ya solucionado con el ultimo patch, ya que por un lado lo referencia y por otro dice que no existe ningun Workaround.


Title:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
[http://www.geocities.co.jp/SiliconV...ry08e.html]


Date:
~~~~~~~~~~~~~~~~~~~~~~~
8 October 2003


Author:
~~~~~~~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]


Vulnerable:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 (Internet Explorer 6.0)


Overview:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories.
A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this
vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"


Details:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories and access arbitrary files via "shell:[Shell
Folders]\..\" in a malicious link.

[Shell Folders]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
Recent: "C:\Documents and Settings\%USERNAME%\Recent"
SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
Templates: "C:\Documents and Settings\%USERNAME%\Templates"
Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
Startup: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
Local AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data"
Cache: "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files"
History: "C:\Documents and Settings\%USERNAME%\Local Settings\History"
My Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My Pictures"
Fonts: "C:\WINDOWS\Fonts"
My Music: "C:\Documents and Settings\%USERNAME%\My Documents\My Music"
My Video: "C:\Documents and Settings\%USERNAME%\My Documents\My Videos"
CD Burning: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\CD Burning"
Administrative Tools: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"


Exploit code:
~~~~~~~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the malicious link.
**************************************************

Malicious link:
<a href="shell:cache\..\..\Local Settings\Temp\exploit.html">Exploit</a>


Workaround:
~~~~~~~~~~~~~~~~~~~~~~~
None.


Vendor Status:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft was notified on 9 June 2003.
They plan to fix this bug in a future service pack.

Microsoft Knowledge Base(KB829493)
[http://support.microsoft.com/default.aspx?scid‚9493]


Thanks:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Security Response Center
Masaki Yamazaki (Japan GTSC Security Response Team)
Youji Okuten (Japan GTSC Security Response Team)


Similar vulnerability:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconV...ry07e.html]


Jose Manuel Tella Llop
MS MVP - DTS
jmtella@compuserve.com

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
 

Leer las respuestas

#1 Jesús Hernández
10/10/2003 - 23:06 | Informe spam
Bad news on RPC DCOM vulnerability
http://www.securityfocus.com/archive/1

Con todas las cautelas, pero los golfos singuen en el empeño.
golfos RU digo.
Saludos.

"JM Tella Llop [MS MVP] ·" escribió en el mensaje
news:#
** Salio publicado ayer. No está muy claro, si está ya solucionado con el ultimo patch, ya
que por un lado lo referencia y por otro dice que no existe ningun Workaround.


Title:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
[http://www.geocities.co.jp/SiliconV...ry08e.html]


Date:
~~~~~~~~~~~~~~~~~~~~~~~
8 October 2003


Author:
~~~~~~~~~~~~~~~~~~~~~~~
Eiji James Yoshida []


Vulnerable:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 (Internet Explorer 6.0)


Overview:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories.
A remote attacker is able to gain access to the path of the %USERPROFILE% folder without
guessing a target user name by this
vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"


Details:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories and
access arbitrary files via "shell:[Shell
Folders]\..\" in a malicious link.

[Shell Folders]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
Recent: "C:\Documents and Settings\%USERNAME%\Recent"
SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
Templates: "C:\Documents and Settings\%USERNAME%\Templates"
Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
Startup: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
Local AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data"
Cache: "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files"
History: "C:\Documents and Settings\%USERNAME%\Local Settings\History"
My Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My Pictures"
Fonts: "C:\WINDOWS\Fonts"
My Music: "C:\Documents and Settings\%USERNAME%\My Documents\My Music"
My Video: "C:\Documents and Settings\%USERNAME%\My Documents\My Videos"
CD Burning: "C:\Documents and Settings\%USERNAME%\Local Settings\Application
Data\Microsoft\CD Burning"
Administrative Tools: "C:\Documents and Settings\%USERNAME%\Start
Menu\Programs\Administrative Tools"


Exploit code:
~~~~~~~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the malicious link.
**************************************************

Malicious link:
<a href="shell:cache\..\..\Local Settings\Temp\exploit.html">Exploit</a>


Workaround:
~~~~~~~~~~~~~~~~~~~~~~~
None.


Vendor Status:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft was notified on 9 June 2003.
They plan to fix this bug in a future service pack.

Microsoft Knowledge Base(KB829493)
[http://support.microsoft.com/default.aspx?scid‚9493]


Thanks:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Security Response Center
Masaki Yamazaki (Japan GTSC Security Response Team)
Youji Okuten (Japan GTSC Security Response Team)


Similar vulnerability:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconV...ry07e.html]


Jose Manuel Tella Llop
MS MVP - DTS


Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún
derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.

Preguntas similares