Howdy all
A little addy: It works also in MSIE 5.0 Preview Release =)
-=[DynaMite]=-
--
\\|//
_________ooO_(o"o)_OoO________
| (_) |
| Dad always thought laughter |
Hans Waasdorp | was the best medicine, which |
SysAdmin/Developer | I guess is why several of us |
Milcap Media Group SL | died of tuberculosis |
|_________oooO_____Oooo________|
hansat_private ( )/| | ( ,)
http://195.10.26.93 \_) | | (_/ -=[DynaMite]=-
______________________________________\|w|,___________________
Marc wrote:
>
> /------------------\
> / eEye Security Team \
> \--------------------/
> \ www.eEye.com /
> ------------------
> IE4 Custom Folders
>
> ---> Systems Affected
> Win9X/NT IE4.0 Customized Folders
>
> ---> Release Date
> October, 1 1998
>
> ---> Advisory Code
> IE4CustomFolders01
>
> ---> Problem
> Users with write access to a customized folder can replace the customized
> folder settings inserting their own "evil" files to execute code. This could
> be used to simply make a folder not viewable from inside a GUI view or on a
> potentially more dangerous note, execute code via activex controls. In the
> past having write access to a folder was a bad thing but still the most that
> could be done was replace an exe with a trojaned exe in hopes that the user
> runs the program. Now you can execute code when the user simply views a
> folder. Its common when you are doing security audits of NT networks to find
> remote systems with shared folders. Most of the time the shared folder's
> password is trivial to break or there is no password at all. We tested this
> hole on a Windows95 system with IE4.0 and a customized folder and IE
> security settings on high. It will most defiantly work on Windows98 because
> well IE4.0 is Windows98 heheh. As of releasing this advisory we have not
> tested NT systems but its a good bet it will work. Basically what happens
> when you customize a folder is two files are created, desktop.ini and a
> folder.htt. Folder.htt is the file that holds the HTML code to be displayed
> in the folders window when opened. We insert HTML code for an evil activex
> control inside folder.htt. When the user opens the folder the HTML code is
> read and the ocx is loaded. The ocx could share drive c to everyone or
> whatever. Check out the attached nerd.zip for an example that runs an exe
> which displays a funny little message.
>
> On a side note: To reproduce this for testing purposes create a folder then
> go to view, customize this folder. Then once your done unzip nerd.zip into
> the folder, close the window and reopen it. Should not be too hard to figure
> out. Also, the zip file has extra files that are not really essential to
> getting the code executed... yes, lazy is the word hehe.
>
> --------------------
> Marc
> marcat_private
> eEye Security Team
> http://www.eEye.com
> --------------------
>
> P.S.
> Viking/1.04 httpd, can be DoS'd by sending HEAD /(nice big string here)/
> HTTP/1.0.
> Viking isn't a major httpd but there might be the one or two out there using
> it.
>
> --------------------------------------------------------------------------------
> Name: nerd.zip
> nerd.zip Type: Zip Compressed Data (application/x-zip-compressed)
> Encoding: base64
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:32 PDT