Re: Win 2000 & IE 'shell://' problem?

[maillist () KREL ORG (Ilya)]

confirmed on 2k server /ie 5.5 beta
i run sysinternal Regestry monitor, IExplorer and Explorer fo exactly 26666
regestry accesses from the click on link to crash window, funny number ;)

----- Original Message -----
From: "Stephen John" <spjohn () MAIL UTEXAS EDU>
To: <>
Sent: Tuesday, May 30, 2000 4:33 PM
Subject: Win 2000 & IE 'shell://' problem?

I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol,
and when any URL ie "shell://localhost" or just "shell://" is loaded IE
crashes and brings explorer.exe down with it.  I think this would cause a
user who didnt know much to think that Win 2000 had crashed (of course
killing the tasks iexplore.exe and explorer.exe then restarting explorer,
will solve the problem).

I don't think this is a huge security hole, but being able to crash explorer
remotely is a security problem.

This can be exploited via a                 <A href=shell://somehost>Kill
explorer!></A>
or if scripting is on, by embedding a
onLoad="window.location='shell://localhost'"
into the body tag.
It takes about 5 seconds to crash IE/explorer, the IE window blinks a few
times before the crash.  I'm not sure what IE is trying to do here, but it
is never sucsessful.

I was able to reproduce this on 2 systems with Win 2000 Professional
5.00.2195, using IE 5.00.2920.0000.
I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not
see this behavior.
Also Netscape does not seem to recognize shell:// as a valid protocol.

Could anyone see if this problem is occurs on other version of NT/IE, or
maybe is there is a better way to exploit it?

Stephen John
Student  University of Texas
Webmaster  http://www.securityauditor.com