Full Disclosure mailing list archives
RE: What about M$ in the shell: race
From: "Perrymon, Josh L." <PerrymonJ () bek com>
Date: Fri, 9 Jul 2004 11:56:49 -0500
Well.. I'm not tryiny to take any credit for it. Keith McCanless and I where working on it at the same time ane he submitted to Mozilla 2 hours before I did yesterday morning. We have shared a lot of ideas and research on the subject. No I didn't just grab someones research. Keith and I took the same approach. This acutally started last week when Jessica sent the IE active-X stuff to me and I look at an older Buqtraq post and saw the shell: code that was used with double backslashes in IE. I run mozilla now so I started looking at the code and playing with different variants in the lab. I noticed that it worked in Mozilla on the 7th but I din't think about sending it to Mozilla becuase at first I didn't think it was a big deal. But it started a lot of intrest in FD so I submitted it just after Keith. If you follow my first posts in FD you will see that my first intrest was purely in the background of the shell: command and how it works and the behaviors involved. But I guess to answer the question: No- I didn't just see an advisory from someone and start making posts like I found it. I worked with the other researchers on this. I don't care if someone mentions my name in an advisory. Maybe I would if I was trying to get a job or something but like you I work for the corporate world and was just doing some research. Read his advisory: REFERENCE --------- MOZILLA will open/execute a file when navigated to a valid SHELL-protocol url: http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html greetingz fly to perrymonj JP -----Original Message----- From: daniel uriah clemens To: Perrymon, Josh L. Cc: packet-ninjas () birmingham-infragard org; full-disclosure () lists netsys com; birmingham-infragard () birmingham-infragard org Sent: 7/9/2004 6:33 AM Subject: Re: [Full-disclosure] What about M$ in the shell: race Josh, This is no way a shaming email,but hopefully a playful question in hopes to find out what might be miscommunicated as a reader on multiple security mailing lists.
snip from your website>
I think the research over the past couple days proves that M$ just isn't cutting it these days with their security response to vulnerabilities. Wasn't it just the other day whn Bill Gates said that they have 1000's of consultants ready to patch systems and it STILL takes them weeks to patch a simple hole. I understand that M$ has to deal with the underlying OS but with that many people shouldn't they turn patches out a little faster? I mean, come on.. I worked with the Mozilla guys and was REALLY impressed with the turn-around on the patch. It's wasn't real elaborate to correct the issue but it was done in a matter of hours. The shell: issue is all over Full-disclosure and slashdot but I have yet to see a public response from M$ on the issue. I hope this helps Mozilla gain some market share because it's where browsing and security models should move in the future in my opinion- ----------end Rant--------------- M$ IE6 shell: vuln tested on fully patched XP SP1 box in VWmare lab shell:windows\system32\calc.exe shell:windows\system32\cmd.exe shell:windows\system32\winver.exe shell:windows\system32\accwiz.exe shell:windows\system32\narrator.exe <- This is my favorite one :) This will freak someone out when the PC talks to them. I guess the good side to this is that IS asks the user to open the file / save is clicked from an anchor but not when using the shell command. test <- this calls cmd.exe using an anchor tag I understand the disclosure process but what can you do if they don't respond. This isn't a canned script kiddie exploit it's research. And that should be available to anyone that is interested. -------------- I got 99 problems but Mozilla isn't one :)
unsnip....
What reasearch did you perform to find this hole or did you simply repeat what 'liu die yu' posted to full disclosure earlier this week. http://umbrella.name/originalvuln/mozilla/ShellNethood/mozilla_shellneth ood_rc.txt Just for clarification's sake did you find this vulnerability through extensive research or did you repost someone elses vulnerability to every mailing list in the world and then posted that the media picked up on it also. If it was research , what methodical approach did you take to find this vulnerability so we can all share in the fun of bugtracking or was this research in the stance that you are evaluating the existence of a current bug already disclosed within your lab. What it sounds like what you have been saying the past few day is simply - ' this bug exists, I confirmed it exists, and I have repeated the work of another and this bug is fairly huge', but I can see how others could misinterpret this to say that you where the original bug-tracker.
snip>
I understand the disclosure process but what can you do if they don't respond. This isn't a canned script kiddie exploit it's research. And that should be available to anyone that is interested.
snip>
I am must trying to clarify whether or not you said this was research on your part to discover the bug, OR to simply test for the bug's existence from what was posted from Liu Die Yu earlier this week.
http://www.packetfocus.com/shell_exploit.htm IE will execute the shell: command locally but prompts the user to
open /
save the file if used with an anchor. But what is this was used with another IE exploit that may not have
system
privs but ran shell: locally- wouldn't that have system privs then or would that run under the
browser?
Interesting so far- Hopefully this will help the effort to promote open source standards
to move
away from M$ web monopoly. Until then I will just uses BBS's-- hehehehehehe Anyone up for a good game of Tradewars ;)
Once again I am merely trying to clarify allot of what you have been posting the last few days. Thanks, -Daniel Uriah Clemens Esse quam videra (to be, rather than to appear) -Moments of Sorrow are Moments of Sobriety { o)2059686335 c)2055676850 } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- What about M$ in the shell: race Perrymon, Josh L. (Jul 09)
- Re: What about M$ in the shell: race daniel uriah clemens (Jul 09)
- RE: What about M$ in the shell: race Larry Seltzer (Jul 10)
- <Possible follow-ups>
- RE: What about M$ in the shell: race Perrymon, Josh L. (Jul 09)
- RE: What about M$ in the shell: race http-equiv () excite com (Jul 10)
- RE: What about M$ in the shell: race Larry Seltzer (Jul 10)
- RE: What about M$ in the shell: race Perrymon, Josh L. (Jul 10)
- RE: What about M$ in the shell: race Larry Seltzer (Jul 10)
- Re: What about M$ in the shell: race daniel uriah clemens (Jul 09)