Vulnerability Development mailing list archives
Re: Win 2000 & IE 'shell://' problem?
From: spjohn () MAIL UTEXAS EDU (Stephen John)
Date: Fri, 2 Jun 2000 16:47:42 -0500
I checked deeper into what exactly is happening with the shell://. I believe I found out what is going on, but I still have no idea why it exists or what it is supposed to do. When you open a shell: URL, windows executes the command "explorer /idlist,%I,%L". Where %I is process info about iexplorer eg :0:1423, where 1423 would be the pid of iexplore.exe. %L is the URL so it is "shell://abcabc" or whatever URL you used. As to what the /idlist paramater of explorer.exe is, I am not sure. It is not in the MS documentation, but I found one source that said this parameter "May help with cacheing. By itself, opens the desktop as icons." from http://www.cpcug.org/user/clemenzi/technical/WinExplorer/CommandLineOptions. htm. I don't really understand what this means, so I still don't see what shell: is trying to do. As far as trying to exploit this, I tried to get commands to execute by using URL's like "shell:|mkdir\test" and even "shell|cmd/c"mkdir\test"" but this doesn't work. The command is not filtered out, but it does not execute. I can only assume that the explorer command is run in some protected mode, but I don't know too much about this, so it's very possible that I am wrong. Also appending a normal explorer parameter (eg /e) does not do anything, explorer seems to ignore any other parameters after /idlist.One other thing that I noticed is that anything after a space in the URL will not be passed to the command. I assume this is because the %L is only the information up to the first space. I still don't know why running this command (sometimes) crashes explorer. It's possible that there is something else going on in the background I am not aware of. As far as trying to exploit this as a buffer overflow, I have sent a URL with something like 5000 "A" or "shell:", but thats about it. I believe these are the reg keys that cause this behavior of the shell:// URL. HKEY_CLASSES_ROOT\Shell\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\open\command HKEY_CLASSES_ROOT\Publishing Folder\shell\open\command HKEY_CLASSES_ROOT\Folder\shell\open\command Stephen John http://www.securityauditor.com ----- Original Message ----- From: "Aaron Kelley" <kelleyam () UMICH EDU> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Thursday, June 01, 2000 3:53 PM Subject: Fwd: Re: Win 2000 & IE 'shell://' problem?
Just some thoughts with having to have several windows open for the problem to work. If one was to attempt to use this "exploit" one could use a java or perl script to open up several window and then call the shell://. I'm not sure but you might not even need to use a script to do it, you might be able to use some sort of automatic redirection to continuously open window then call shell://, something like a bowser jack with a twist. To repeat some other's, it would be interesting to see if there is some other exploit that can be run with this problem. Enjoy, AKApproved-By: BlueBoar () THIEVCO COM Delivered-To: vuln-dev () lists securityfocus com Delivered-To: VULN-DEV () SECURITYFOCUS COM X-Accept-Language: en Date: Wed, 31 May 2000 19:49:11 -0700 Reply-To: Blue Boar <BlueBoar () THIEVCO COM> Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM> From: Blue Boar <BlueBoar () THIEVCO COM> Subject: Re: Win 2000 & IE 'shell://' problem? X-To: VULN-DEV () SECURITYFOCUS COM To: VULN-DEV () SECURITYFOCUS COM I did some brief testing with this today. I found that whatever version of Win2K w/IE that I plopped down in front of wouldn't crash with just opening shell:// or shell://localhost. The window would flicker a bit. One poster had indicated that it was dependent on the number of windows open. I opened several windows. Now it would flicker, and cycle between windows. With about 8 or 9 IE windows open, it would do the protection fault and crash. Thanks everyone for reporting in with various version numbers, etc.. I'll be summarizing shortly, and posting to Bugtraq and MS. BBx99kelley1 () wmich edu Aaron Kelley "Any technology that is distinguishable from magic is not sufficiently advanced."
Current thread:
- Re: Win 2000 & IE 'shell://' problem? Blue Boar (May 31)
- <Possible follow-ups>
- Fwd: Re: Win 2000 & IE 'shell://' problem? Aaron Kelley (Jun 01)
- Re: Win 2000 & IE 'shell://' problem? Chris Hall (Jun 01)
- Re: Win 2000 & IE 'shell://' problem? Alex Schuetz (Jun 02)
- Re: Win 2000 & IE 'shell://' problem? Nobu Hakeda (Jun 02)
- Re: Win 2000 & IE 'shell://' problem? Stephen John (Jun 02)
- Warning! 'shell://' with win98 causes endless problems Alex Schuetz (Jun 03)
- shell:// shell:\\ shell: Cory Kantar (Jun 03)
- JOLT2.C Cory Kantar (Jun 03)
- Re: Win 2000 & IE 'shell://' problem? office (Jun 11)