Howdy all A little addy: It works also in MSIE 5.0 Preview Release =) -=[DynaMite]=- -- \\|// _________ooO_(o"o)_OoO________ | (_) | | Dad always thought laughter | Hans Waasdorp | was the best medicine, which | SysAdmin/Developer | I guess is why several of us | Milcap Media Group SL | died of tuberculosis | |_________oooO_____Oooo________| hansat_private ( )/| | ( ,) http://195.10.26.93 \_) | | (_/ -=[DynaMite]=- ______________________________________\|w|,___________________ Marc wrote: > > /------------------\ > / eEye Security Team \ > \--------------------/ > \ www.eEye.com / > ------------------ > IE4 Custom Folders > > ---> Systems Affected > Win9X/NT IE4.0 Customized Folders > > ---> Release Date > October, 1 1998 > > ---> Advisory Code > IE4CustomFolders01 > > ---> Problem > Users with write access to a customized folder can replace the customized > folder settings inserting their own "evil" files to execute code. This could > be used to simply make a folder not viewable from inside a GUI view or on a > potentially more dangerous note, execute code via activex controls. In the > past having write access to a folder was a bad thing but still the most that > could be done was replace an exe with a trojaned exe in hopes that the user > runs the program. Now you can execute code when the user simply views a > folder. Its common when you are doing security audits of NT networks to find > remote systems with shared folders. Most of the time the shared folder's > password is trivial to break or there is no password at all. We tested this > hole on a Windows95 system with IE4.0 and a customized folder and IE > security settings on high. It will most defiantly work on Windows98 because > well IE4.0 is Windows98 heheh. As of releasing this advisory we have not > tested NT systems but its a good bet it will work. Basically what happens > when you customize a folder is two files are created, desktop.ini and a > folder.htt. Folder.htt is the file that holds the HTML code to be displayed > in the folders window when opened. We insert HTML code for an evil activex > control inside folder.htt. When the user opens the folder the HTML code is > read and the ocx is loaded. The ocx could share drive c to everyone or > whatever. Check out the attached nerd.zip for an example that runs an exe > which displays a funny little message. > > On a side note: To reproduce this for testing purposes create a folder then > go to view, customize this folder. Then once your done unzip nerd.zip into > the folder, close the window and reopen it. Should not be too hard to figure > out. Also, the zip file has extra files that are not really essential to > getting the code executed... yes, lazy is the word hehe. > > -------------------- > Marc > marcat_private > eEye Security Team > http://www.eEye.com > -------------------- > > P.S. > Viking/1.04 httpd, can be DoS'd by sending HEAD /(nice big string here)/ > HTTP/1.0. > Viking isn't a major httpd but there might be the one or two out there using > it. > > -------------------------------------------------------------------------------- > Name: nerd.zip > nerd.zip Type: Zip Compressed Data (application/x-zip-compressed) > Encoding: base64
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:32 PDT