RE: Rather large MSIE-hole

[Maarten Oosterink <maarten () holmes nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > For instance, "%SystemRoot%" would eliminate the need for 
> > "C:\windows"

I tried this in the original sample provided by Magnus Bodin, it
doesn't work, I recogn the variables aren't parsed. Maybe with
more Jscript knowledge it is possible however.

The same with parameters btw.. Trying to run 
'c:/windows/system32/format.com c: /q /autotest' fails and so
does 'c:/windows/system32/cmd -C format.com c: /q /autotest'.

This is good, since this vulnerability can not be easily used for
creating real havoc. But as soon as someone finds out how to parse
parameters the sh*t will hit the fan.. I can image commands like
'net send * w00t w00t' being funny, but 'format c: /autotest' isn't.

> This is a newbie question, 
> but where can I find a list os system variables and its
> compatibility thru versions of windows?

By running SET from a command shell (without parameters) you het
a list of all system variables.

With regards,

Maarten Oosterink
System Administrator Digital Technology dpt.
Netherlands Forensic Institute
Ministry of Justice - The Netherlands

Phone    +31 (0)70 413 5 402
Fax      +31 (0)70 413 5 441   
E-mail   maarten () holmes nl - PGP Key:
http://www.holmes.nl/maarten.asc
 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPJCJKoa/klkcnTclEQJJhwCgq/D9IB/qpyzbQl5GL8jJl6GP1eUAn2Kx
6sE0wp4Lx6nbiGuKQ2srCi7M
=iP42
-----END PGP SIGNATURE-----