Full Disclosure mailing list archives

RE: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability

From: "Eiji James Yoshida" <ptrs-ejy () bp iij4u or jp>
Date: Sun, 3 Apr 2005 02:39:39 +0900

This problem was corrected in Windows Server 2003 Service Pack 1.

Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html

Regards,
-------------------------------------------------------------
Eiji James Yoshida
penetration technique research site
E-mail: ptrs-ejy () bp iij4u or jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
-------------------------------------------------------------

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Eiji James Yoshida
Sent: Wednesday, October 08, 2003 10:57 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Microsoft Windows Server 2003 
"Shell Folders" Directory Traversal Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Windows Server 2003 "Shell Folders" Directory 
Traversal Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html]


Date:
~~~~~~~~~~~~~~~~~~~~~~~
8 October 2003


Author:
~~~~~~~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy () bp iij4u or jp]


Vulnerable:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 (Internet Explorer 6.0)


Overview:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell 
Folders" directories.
A remote attacker is able to gain access to the path of the 
%USERPROFILE% folder without guessing a target user name by this
vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"


Details:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell 
Folders" directories and access arbitrary files via "shell:[Shell
Folders]\..\" in a malicious link.

[Shell Folders]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex
plorer\Shell Folders
 AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
 Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
 Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
 Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
 NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
 Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
 PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
 Recent: "C:\Documents and Settings\%USERNAME%\Recent"
 SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
 Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
 Templates: "C:\Documents and Settings\%USERNAME%\Templates"
 Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
 Startup: "C:\Documents and Settings\%USERNAME%\Start 
Menu\Programs\Startup"
 Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
 Local AppData: "C:\Documents and Settings\%USERNAME%\Local 
Settings\Application Data"
 Cache: "C:\Documents and Settings\%USERNAME%\Local 
Settings\Temporary Internet Files"
 History: "C:\Documents and Settings\%USERNAME%\Local 
Settings\History"
 My Pictures: "C:\Documents and Settings\%USERNAME%\My 
Documents\My Pictures"
 Fonts: "C:\WINDOWS\Fonts"
 My Music: "C:\Documents and Settings\%USERNAME%\My 
Documents\My Music"
 My Video: "C:\Documents and Settings\%USERNAME%\My 
Documents\My Videos"
 CD Burning: "C:\Documents and Settings\%USERNAME%\Local 
Settings\Application Data\Microsoft\CD Burning"
 Administrative Tools: "C:\Documents and 
Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"
 

Exploit code:
~~~~~~~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the malicious link.
**************************************************

Malicious link:
<a href="shell:cache\..\..\Local 
Settings\Temp\exploit.html">Exploit</a>


Workaround:
~~~~~~~~~~~~~~~~~~~~~~~
None.


Vendor Status:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft was notified on 9 June 2003.
They plan to fix this bug in a future service pack.

Microsoft Knowledge Base(KB829493)
[http://support.microsoft.com/default.aspx?scid=829493]


Thanks:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Security Response Center
Masaki Yamazaki (Japan GTSC Security Response Team)
Youji Okuten (Japan GTSC Security Response Team)


Similar vulnerability:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure 
Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]


- -------------------------------------------------------------
Eiji James Yoshida
penetration technique research site
E-mail: ptrs-ejy () bp iij4u or jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- -------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBP4QUUPfWv13kjJq0EQLCUQCfT9cXFH14453XXomssYHHAO/KWMMAoLxH
YZTkthwnHxD1BW+YxEPzMPaV
=8/8o
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

RE: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability Eiji James Yoshida (Apr 02)