Re: IE4 Custom Folder

[listuser () MAIL SEIFRIED ORG (listuser () MAIL SEIFRIED ORG)]

> ---> Problem
> Users with write access to a customized folder can replace the customized
> folder settings inserting their own "evil" files to execute code. This could
> be used to simply make a folder not viewable from inside a GUI view or on a
> potentially more dangerous note, execute code via activex controls. In the
> past having write access to a folder was a bad thing but still the most that
> could be done was replace an exe with a trojaned exe in hopes that the user
> runs the program. Now you can execute code when the user simply views a
> folder. Its common when you are doing security audits of NT networks to find
> remote systems with shared folders. Most of the time the shared folder's
> password is trivial to break or there is no password at all. We tested this
> hole on a Windows95 system with IE4.0 and a customized folder and IE
> security settings on high. It will most defiantly work on Windows98 because

In MSIE 4.0 there are five security zones, 4 of them are configurable, the
fifth zone is only accesible via the registry, this fifth zone is "local
machine" and basically has no security, due to the fact most windows
machines tend to be single user workstation with no real security this
was probably not considered a priority by MS. The other four zones (Local
Intranet, Internet, Trusted Sites and Untrusted Sites) are indeed easily
configurable but do not apply to this situation.

The applicable registry settings are:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\ 0,1,2,3,4
0 being the local machine, 4 untrusted sites.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zonemap\Domains\

I'm not 100% sure what you can change these settings to, to lock the
machine down, nor do I have any Windows95/98 machines to play on. The best
advice would be to disable active desktop which is dog slow anyways.
Impliment system policies, and distribute a custom version of MSIE 4.01
(via the IEAK) with this stuff turned off by default. In other words round
up the usuall suspects.

> well IE4.0 is Windows98 heheh. As of releasing this advisory we have not

You can disable Active Desktop in Win98, the applicable kb article is:
Article ID: Q190228
http://support.microsoft.com/kb/articles/q190/2/28.asp

> tested NT systems but its a good bet it will work. Basically what happens

Again you can disable the active desktop easily/use system policies to
allow running of only vertain executables/etc.

> when you customize a folder is two files are created, desktop.ini and a
> folder.htt. Folder.htt is the file that holds the HTML code to be displayed
> in the folders window when opened. We insert HTML code for an evil activex
> control inside folder.htt. When the user opens the folder the HTML code is
> read and the ocx is loaded. The ocx could share drive c to everyone or
> whatever. Check out the attached nerd.zip for an example that runs an exe
> which displays a funny little message.
>
> On a side note: To reproduce this for testing purposes create a folder then
> go to view, customize this folder. Then once your done unzip nerd.zip into
> the folder, close the window and reopen it. Should not be too hard to figure
> out. Also, the zip file has extra files that are not really essential to
> getting the code executed... yes, lazy is the word hehe.
>
> --------------------
> Marc
> marc () eEye com
> eEye Security Team
> http://www.eEye.com
> --------------------

-seifried, MCSE

P.S. not to sound depreciative but I wish people would toss the MS KB
quickly before posting 'exploits'/etc, since most of these can be worked
around without fragging MS to badly.

P.P.S. we should all run UNIX, but it ain't gonna happen for a while so
deal with it.