It doesn't seem to affect Windows 2000, only Windows XP. This is a fault in Mozilla. Why? Because it allows access to a dangerous protocol from within a non local resource. The Mozilla project should fix this before anyone creates an exploit to run arbitrary code.
Personally I think the shell: issue should have been reported to the Mozilla security team before publiced to the masses. /Andreas Sandblad On Wed, 7 Jul 2004, Barry Fitzgerald wrote: > I just verified this in Mozilla 1.7 on Windows XP pro. > > (I know -- no reason why it shouldn't work on 1.7 if it worked on firefox) > > In any case, it does appear to be an issue with MS Windows and not > Mozilla, but the Mozilla project should still, IMO, filter out the > shell: scheme type and other dangerous (but essentially useless on the > web) scheme types identified in MS Windows. In fact, they should filter > all out accept for accepted scheme types. Default-closed as opposed to > default-open. > > -Barry > > > Andreas Sandblad wrote: > > >This is dangerous. Based on the file extension of the shell protocol > >different applications may be launched. For example: > >shell:.its will launch Internet Explorer > >and shell:.mp3 will launch Winamp. > > > >The trick is to find an application that will overflow when given a > >very long parameter. A quick check showed that a buffer overflow occured > >within MSProgramGroup (WINDOWS\System32\grpconv.exe) after around 230 > >bytes with the following URL: > >shell:[x*221].grp > >EIP can be controled, but exploitation is a bit tricky since parameter is > >stored as unicode. > > > >Also Winamp contains an BO (no unicode here). > > > >Tested environment: > >Windows XP pro + FireFox 0.9.1 > > > >/Andreas Sandblad > > > >On Wed, 7 Jul 2004, Perrymon, Josh L. wrote: > > > > > > > >>-----snip------ > >>center><br><br><img src="nocigar.gif"></center> > >><center> > >><a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe > >>src="http://windowsupdate.microsoft.com%2F.http- > >>equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none"> > >>[customise as you see fit] > >><http://www.malware.com/stockpump.html> > >>------end---------- > >>The code above has interest to me. > >>Even in Mozilla the commands below will work. > >><a href=shell:windows\\system32\\calc.exe>1</a> > >><a href=shell:windows\system32\calc.exe>2</a> > >><a href=shell:windows\system32\winver.exe>4</a> > >>Just save them to an .html file and run it. > >>The first one with the double quotes was from bugtraq: > >>Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash > >><http://seclists.org/lists/bugtraq/2004/Mar/0188.html> > >>The links below that will run calc as well as winver. > >>It seems it calls windows as a virtual dir because c:\winxp is what I have. > >>I have been playing around to see if cmd.exe will work with it but without > >>luck. > >>This is what is in the registry. > >>HKEY_CLASSES_ROOT\Shell > >>Look in the registry key above. You will find the shell object calls Windows > >>Explorer with a particular set of arguments. > >>%SystemRoot%\Explorer.exe /e,/idlist,%I,%L > >>So this is tied to explorer.exe. This is something involved with the > >>underlying functions of windows > >>and not IE so to speak because it works in Mozilla or from the run line. > >>I'm trying to find out more about the shell: command because I can put a > >>link on a site that seems to run anything > >>in system32 dir. I'd like to see if you can pass parameters to it. > >> > >>Anyone give me more info on the shell:windows command? > >>JP > >> > >> > >>Joshua Perrymon > >>Sr. Network Security Consultant > >>PGP Fingerprint > >>51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 > >> > >>**********CONFIDENTIALITY NOTICE********** > >>The information contained in this e-mail may be proprietary and/or > >>privileged and is intended for the sole use of the individual or > >>organization named above. If you are not the intended recipient or an > >>authorized representative of the intended recipient, any review, copying > >>or distribution of this e-mail and its attachments, if any, is prohibited. > >>If you have received this e-mail in error, please notify the sender > >>immediately by return e-mail and delete this message from your system. > >> > >> > >> > >>_______________________________________________ > >>Full-Disclosure - We believe in it. > >>Charter: http://lists.netsys.com/full-disclosure-charter.html > >> > >> > >> > > > > > > > -- _ _ o' \,=./ `o (o o) ---ooO--(_)--Ooo--- Andreas Sandblad Sweden _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
