Vulnerability Development mailing list archives

Re: Win 2000 & IE 'shell://' problem?

From: walter.williams () GENUITY COM (Walter Williams)
Date: Wed, 31 May 2000 06:19:47 -0400


Running build 2195 of Win2K Professional with IE 5.00.2920.0000CO and doing
just "shell://" produced: Explorer has generated errors and is being closed
by windows and must be restarted, as an error message.  However, Explorer
self restarted with no loss of open documents, or did any application die.
I did not get the Icon dump reported below.

Running "shell://localhost" produced identical results.

What I found most amusing is that I could only produce a problem if I had
multiple instances of IE running.  If only one instance of IE was running,
all these commands seemed to do was produce a few seconds of screen flicker.

Walter

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Rob
Beneson
Sent: Wednesday, May 31, 2000 2:14 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Win 2000 & IE 'shell://' problem?

Well, just to let you know, I am running build 2195 (5.0.2195)of Win2k
Advanced Server, with IE 5.00.2920.0000 and this didn't crash explorer.
Allthough, IE wasn't very happy, and it dumped the icons in my tray, and
tried to dump explorer alltogher, but explorer came right back up after a
second of doubt along with half my tray icons!  Go M$!
Hope this can add to the info.

Rob

----Original Message Follows----
From: Stephen John <spjohn () MAIL UTEXAS EDU>
Reply-To: Stephen John <spjohn () MAIL UTEXAS EDU>
To: VULN-DEV () SECURITYFOCUS COM
Subject: Win 2000 & IE 'shell://' problem?
Date: Tue, 30 May 2000 15:33:32 -0500
MIME-Version: 1.0
Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id
MHotMailBAFDE93C0031D820F3DBCF7E7F44D4060; Tue May 30 22:08:12 2000
Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid
8E87F1F12F; Tue, 30 May 2000 22:02:23 -0700 (PDT)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 10474837 for
VULN-DEV () LISTS SECURITYFOCUS COM; Tue, 30 May 2000 22:02:12 -0700
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
by          lists.securityfocus.com (Postfix) with SMTP id 622EE1EED8 for
       <vuln-dev () lists securityfocus com>; Tue, 30 May 2000 13:37:03 -0700
        (PDT)
Received: (qmail 9116 invoked by alias); 30 May 2000 20:37:07 -0000
Received: (qmail 9113 invoked from network); 30 May 2000 20:37:06 -0000
Received: from devmail.dev.tivoli.com (208.230.244.136) by
mail.securityfocus.com with SMTP; 30 May 2000 20:37:06 -0000
Received: from spjohn1 (spjohn1.dev.tivoli.com [146.84.25.74]) by
devmail.dev.tivoli.com (8.9.1/8.8.8) with SMTP id PAA17382 for
<vuln-dev () securityfocus com>; Tue, 30 May 2000 15:37:01 -0500 (CDT)
From owner-vuln-dev () SECURITYFOCUS COM Tue May 30 22:10:50 2000
Approved-By: BlueBoar () THIEVCO COM
Delivered-To: vuln-dev () lists securityfocus com
Delivered-To: vuln-dev () securityfocus com
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Message-ID:  <001001bfca76$52b63dd0$4a195492 () dev tivoli com>
Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM>
X-To:         vuln-dev () securityfocus com

I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol,
and when any URL ie "shell://localhost" or just "shell://" is loaded IE
crashes and brings explorer.exe down with it.  I think this would cause a
user who didnt know much to think that Win 2000 had crashed (of course
killing the tasks iexplore.exe and explorer.exe then restarting explorer,
will solve the problem).

I don't think this is a huge security hole, but being able to
crash explorer
remotely is a security problem.

This can be exploited via a                 <A href=shell://somehost>Kill
explorer!></A>
or if scripting is on, by embedding a
onLoad="window.location='shell://localhost'"
into the body tag.
It takes about 5 seconds to crash IE/explorer, the IE window blinks a few
times before the crash.  I'm not sure what IE is trying to do here, but it
is never sucsessful.

I was able to reproduce this on 2 systems with Win 2000 Professional
5.00.2195, using IE 5.00.2920.0000.
I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not
see this behavior.
Also Netscape does not seem to recognize shell:// as a valid protocol.

Could anyone see if this problem is occurs on other version of NT/IE, or
maybe is there is a better way to exploit it?

Stephen John
Student  University of Texas
Webmaster  http://www.securityauditor.com

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

Current thread:

Win 2000 & IE 'shell://' problem? Stephen John (May 30)
- Re: Win 2000 & IE 'shell://' problem? Tobias Paprotta aka friedbits (May 01)
- Re: Win 2000 & IE 'shell://' problem? Ilya (May 30)
- Re: Win 2000 & IE 'shell://' problem? vamp (May 30)
- <Possible follow-ups>
- Re: Win 2000 & IE 'shell://' problem? Silcock, Stephen (May 30)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 30)
  - Re: Win 2000 & IE 'shell://' problem? Walter Williams (May 31)
  - Re: Win 2000 & IE 'shell://' problem? bacano (May 31)
- Re: Win 2000 & IE 'shell://' problem? Fernando Cardoso (May 31)
- Re: Win 2000 & IE 'shell://' problem? netsec [davidv] (May 31)
- Re: Win 2000 & IE 'shell://' problem? Matthew King (May 31)
  - Re: Win 2000 & IE 'shell://' problem? Stephen John (May 31)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 31)
- Re: Win 2000 & IE 'shell://' problem? Chris Hall (May 31)