Re: Winnt/Win2k Vuln ?

From: Enrique A. Compań Gzz. (enriqueat_private)
Date: Thu Aug 09 2001 - 12:24:35 PDT

  • Next message: Matthew Leeds: "RE: CR II - winME? confirmation? (Slightly OT)"

    Not exactly an issue....
    
    because when you rename "autoexec.bat" to "www.google.com", what you
    realy get is "www.google.com.BAT"
    When you tipe "www.google.com" in the IE address bar, the file placed in
    your desktop
    get executed... (you can type the name of other files you have there,
    without extension and they get
    executed as well).
    
    I think this is not a bug, but a non-smart feature, THAT CAN BE exploited.
    for example, use any IE bug to create a file in your desktop, but name the
    file to, say "www.yahoo.com.BAT" ...
    When the user goes to www.yahoo.com.... bewm!!! the file gets executed.
    
     -- Enrique A. Compań Gzz.
         Virtek Net Security
    
    ----- Original Message -----
    From: "Red Pantz" <redpantzat_private>
    To: <vuln-devat_private>
    Sent: Wednesday, August 08, 2001 4:17 PM
    Subject: Winnt/Win2k Vuln ?
    
    
    > Hello all,
    >
    > I have found that if you name a file (can be any data file) a certain URL,
    on your desktop, and then g0 to IE and type that url, the web site will not
    come up, only the program that was named the certain.confusing?
    >
    > i.e.
    >
    > - copy autoexec.bat to ..\desktop
    > - rename autoexec.bat to www.google.com (can be any url)
    > - then go to IE and type "www.google.com"
    > - your batch file is then ran
    >
    > a few issues i have w/ this is:
    >
    > - the prog will only run if it is on your desktop
    > - if you type "http://www.google.com", for example
    >   it will not run(unless u name your file the same thing)
    > - it has only been tested on Win2k SP1, Winnt 4.0 SP6a w/ IE 5.5
    > - it doesn't seem to have any privelage escalation (all progs are run as
    the current user logged on)
    >
    > Just want a few others to try it and see wut they think
    >
    > thanx alot
    > redpantz
    >
    > ------------------------------------------------------------
    > [- Get your own free e-mail @ http://www.crackdealer.com -]
    >
    >
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:32:55 PDT