Re: Win 2000 & IE 'shell://' problem?

[Matthew.King () CWO NET AU (Matthew King)]

Hi.

This is confirmed to work on Windows 2000 Professional 5.00.2195 :-)

I wonder how long it will be before someone uses this on a web page :-)

Cya
Matthew

Matthew King.
Network Engineer, Cable & Wireless Optus.

-----Original Message-----
From: Stephen John [mailto:spjohn () MAIL UTEXAS EDU]
Sent: Wednesday, 31 May 2000 6:34 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Win 2000 & IE 'shell://' problem?

I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol,
and when any URL ie "shell://localhost" or just "shell://" is loaded IE
crashes and brings explorer.exe down with it.  I think this would cause a
user who didnt know much to think that Win 2000 had crashed (of course
killing the tasks iexplore.exe and explorer.exe then restarting explorer,
will solve the problem).

I don't think this is a huge security hole, but being able to crash explorer
remotely is a security problem.

This can be exploited via a                 <A href=shell://somehost>Kill
explorer!></A>
or if scripting is on, by embedding a
onLoad="window.location='shell://localhost'"
into the body tag.
It takes about 5 seconds to crash IE/explorer, the IE window blinks a few
times before the crash.  I'm not sure what IE is trying to do here, but it
is never sucsessful.

I was able to reproduce this on 2 systems with Win 2000 Professional
5.00.2195, using IE 5.00.2920.0000.
I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not
see this behavior.
Also Netscape does not seem to recognize shell:// as a valid protocol.

Could anyone see if this problem is occurs on other version of NT/IE, or
maybe is there is a better way to exploit it?

Stephen John
Student  University of Texas
Webmaster  http://www.securityauditor.com <http://www.securityauditor.com>