This problem (BugtraqID:7826) was corrected in Windows Server 2003 Service Pack 1. Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability http://www.securityfocus.com/archive/1/340666 Microsoft Internet Explorer %USERPROFILE% File Execution Weakness http://www.securityfocus.com/bid/7826/info/ Regards, ------------------------------------------------------------- Eiji James Yoshida penetration technique research site E-mail: ptrs-ejy@xxxxxxxxxxxxxx URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm ------------------------------------------------------------- > -----Original Message----- > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Title: > ~~~~~~~~~~~~~~~~~~~~~~~ > Microsoft Windows Server 2003 "Shell Folders" Directory > Traversal Vulnerability > [http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html] > > > Date: > ~~~~~~~~~~~~~~~~~~~~~~~ > 8 October 2003 > > > Author: > ~~~~~~~~~~~~~~~~~~~~~~~ > Eiji James Yoshida [ptrs-ejy@xxxxxxxxxxxxxx] > > > Vulnerable: > ~~~~~~~~~~~~~~~~~~~~~~~ > Windows Server 2003 (Internet Explorer 6.0) > > > Overview: > ~~~~~~~~~~~~~~~~~~~~~~~ > Windows Server 2003 allows remote attacker to traverse "Shell > Folders" directories. > A remote attacker is able to gain access to the path of the > %USERPROFILE% folder without guessing a target user name by this > vulnerability. > > ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%" > > > Details: > ~~~~~~~~~~~~~~~~~~~~~~~ > Windows Server 2003 allows remote attacker to traverse "Shell > Folders" directories and access arbitrary files via "shell:[Shell > Folders]\..\" in a malicious link. > > [Shell Folders] > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex > plorer\Shell Folders > AppData: "C:\Documents and Settings\%USERNAME%\Application Data" > Cookies: "C:\Documents and Settings\%USERNAME%\Cookies" > Desktop: "C:\Documents and Settings\%USERNAME%\Desktop" > Favorites: "C:\Documents and Settings\%USERNAME%\Favorites" > NetHood: "C:\Documents and Settings\%USERNAME%\NetHood" > Personal: "C:\Documents and Settings\%USERNAME%\My Documents" > PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood" > Recent: "C:\Documents and Settings\%USERNAME%\Recent" > SendTo: "C:\Documents and Settings\%USERNAME%\SendTo" > Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu" > Templates: "C:\Documents and Settings\%USERNAME%\Templates" > Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs" > Startup: "C:\Documents and Settings\%USERNAME%\Start > Menu\Programs\Startup" > Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings" > Local AppData: "C:\Documents and Settings\%USERNAME%\Local > Settings\Application Data" > Cache: "C:\Documents and Settings\%USERNAME%\Local > Settings\Temporary Internet Files" > History: "C:\Documents and Settings\%USERNAME%\Local > Settings\History" > My Pictures: "C:\Documents and Settings\%USERNAME%\My > Documents\My Pictures" > Fonts: "C:\WINDOWS\Fonts" > My Music: "C:\Documents and Settings\%USERNAME%\My > Documents\My Music" > My Video: "C:\Documents and Settings\%USERNAME%\My > Documents\My Videos" > CD Burning: "C:\Documents and Settings\%USERNAME%\Local > Settings\Application Data\Microsoft\CD Burning" > Administrative Tools: "C:\Documents and > Settings\%USERNAME%\Start Menu\Programs\Administrative Tools" > > > Exploit code: > ~~~~~~~~~~~~~~~~~~~~~~~ > ************************************************** > This exploit reads %TEMP%\exploit.html. > You need to create it. > And click on the malicious link. > ************************************************** > > Malicious link: > <a href="shell:cache\..\..\Local > Settings\Temp\exploit.html">Exploit</a> > > > Workaround: > ~~~~~~~~~~~~~~~~~~~~~~~ > None. > > > Vendor Status: > ~~~~~~~~~~~~~~~~~~~~~~~ > Microsoft was notified on 9 June 2003. > They plan to fix this bug in a future service pack. > > Microsoft Knowledge Base(KB829493) > [http://support.microsoft.com/default.aspx?scid=829493] > > > Thanks: > ~~~~~~~~~~~~~~~~~~~~~~~ > Microsoft Security Response Center > Masaki Yamazaki (Japan GTSC Security Response Team) > Youji Okuten (Japan GTSC Security Response Team) > > > Similar vulnerability: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Microsoft Internet Explorer %USERPROFILE% Folder Disclosure > Vulnerability > [http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html] > > > - ------------------------------------------------------------- > Eiji James Yoshida > penetration technique research site > E-mail: ptrs-ejy@xxxxxxxxxxxxxx > URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm > - ------------------------------------------------------------- > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8ckt > Comment: Eiji James Yoshida > > iQA/AwUBP4QUUPfWv13kjJq0EQLCUQCfT9cXFH14453XXomssYHHAO/KWMMAoLxH > YZTkthwnHxD1BW+YxEPzMPaV > =8/8o > -----END PGP SIGNATURE-----
