Vulnerability Development mailing list archives
Re: Win 2000 & IE 'shell://' problem?
From: jslat () HOTMAIL COM (Chris Hall)
Date: Thu, 1 Jun 2000 00:16:18 GMT
I am Running build 2195 (5.0.2195) Default install and doing just a "shell:" causes IE to Flicker and create a C:\user.dmp but not close Tried this in Windows explorer, doing just a "shell:", The Results varied, sometimes it would close generate a user.dmp file, but doing a "shell:\\" the results were the same as in IE ( except it would close. ) i really don't know too much about the inards workings of win, but is strange to say the least. just my 2 cents. Chris
Running build 2195 of Win2K Professional with IE 5.00.2920.0000CO and doing just "shell://" produced: Explorer has generated errors and is being closed by windows and must be restarted, as an error message. However, Explorer self restarted with no loss of open documents, or did any application die. I did not get the Icon dump reported below. Running "shell://localhost" produced identical results. What I found most amusing is that I could only produce a problem if I had multiple instances of IE running. If only one instance of IE was running, all these commands seemed to do was produce a few seconds of screen flicker. Walter-----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Rob Beneson Sent: Wednesday, May 31, 2000 2:14 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Win 2000 & IE 'shell://' problem? Well, just to let you know, I am running build 2195 (5.0.2195)of Win2k Advanced Server, with IE 5.00.2920.0000 and this didn't crash explorer. Allthough, IE wasn't very happy, and it dumped the icons in my tray, and tried to dump explorer alltogher, but explorer came right back up afterasecond of doubt along with half my tray icons! Go M$! Hope this can add to the info. Rob ----Original Message Follows---- From: Stephen John <spjohn () MAIL UTEXAS EDU> Reply-To: Stephen John <spjohn () MAIL UTEXAS EDU> To: VULN-DEV () SECURITYFOCUS COM Subject: Win 2000 & IE 'shell://' problem? Date: Tue, 30 May 2000 15:33:32 -0500 MIME-Version: 1.0 Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id MHotMailBAFDE93C0031D820F3DBCF7E7F44D4060; Tue May 30 22:08:12 2000 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid 8E87F1F12F; Tue, 30 May 2000 22:02:23 -0700 (PDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 10474837 for VULN-DEV () LISTS SECURITYFOCUS COM; Tue, 30 May 2000 22:02:12 -0700 Received: from securityfocus.com (mail.securityfocus.com[207.126.127.78])by lists.securityfocus.com (Postfix) with SMTP id 622EE1EED8for<vuln-dev () lists securityfocus com>; Tue, 30 May 2000 13:37:03-0700(PDT) Received: (qmail 9116 invoked by alias); 30 May 2000 20:37:07 -0000 Received: (qmail 9113 invoked from network); 30 May 2000 20:37:06 -0000 Received: from devmail.dev.tivoli.com (208.230.244.136) by mail.securityfocus.com with SMTP; 30 May 2000 20:37:06 -0000 Received: from spjohn1 (spjohn1.dev.tivoli.com [146.84.25.74]) by devmail.dev.tivoli.com (8.9.1/8.8.8) with SMTP id PAA17382 for <vuln-dev () securityfocus com>; Tue, 30 May 2000 15:37:01 -0500 (CDT) From owner-vuln-dev () SECURITYFOCUS COM Tue May 30 22:10:50 2000 Approved-By: BlueBoar () THIEVCO COM Delivered-To: vuln-dev () lists securityfocus com Delivered-To: vuln-dev () securityfocus com X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Message-ID: <001001bfca76$52b63dd0$4a195492 () dev tivoli com> Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM> X-To: vuln-dev () securityfocus com I found that IE 5 running Win 2000 accepts "shell://" as a legalprotocol,and when any URL ie "shell://localhost" or just "shell://" is loaded IE crashes and brings explorer.exe down with it. I think this would causeauser who didnt know much to think that Win 2000 had crashed (of course killing the tasks iexplore.exe and explorer.exe then restartingexplorer,will solve the problem). I don't think this is a huge security hole, but being able to crash explorer remotely is a security problem. This can be exploited via a <Ahref=shell://somehost>Killexplorer!></A> or if scripting is on, by embedding a onLoad="window.location='shell://localhost'" into the body tag. It takes about 5 seconds to crash IE/explorer, the IE window blinks afewtimes before the crash. I'm not sure what IE is trying to do here, butitis never sucsessful. I was able to reproduce this on 2 systems with Win 2000 Professional 5.00.2195, using IE 5.00.2920.0000. I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I didnotsee this behavior. Also Netscape does not seem to recognize shell:// as a valid protocol. Could anyone see if this problem is occurs on other version of NT/IE, or maybe is there is a better way to exploit it? Stephen John Student University of Texas Webmaster http://www.securityauditor.com ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Re: Win 2000 & IE 'shell://' problem?, (continued)
- Re: Win 2000 & IE 'shell://' problem? vamp (May 30)
- Re: Win 2000 & IE 'shell://' problem? Silcock, Stephen (May 30)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 30)
- Re: Win 2000 & IE 'shell://' problem? Walter Williams (May 31)
- Re: Win 2000 & IE 'shell://' problem? bacano (May 31)
- Re: Win 2000 & IE 'shell://' problem? Fernando Cardoso (May 31)
- Re: Win 2000 & IE 'shell://' problem? netsec [davidv] (May 31)
- Re: Win 2000 & IE 'shell://' problem? Matthew King (May 31)
- Re: Win 2000 & IE 'shell://' problem? Stephen John (May 31)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 31)
- Re: Win 2000 & IE 'shell://' problem? Chris Hall (May 31)