Vulnerability Development mailing list archives
Re: Win 2000 & IE 'shell://' problem?
From: walter.williams () GENUITY COM (Walter Williams)
Date: Wed, 31 May 2000 06:19:47 -0400
Running build 2195 of Win2K Professional with IE 5.00.2920.0000CO and doing just "shell://" produced: Explorer has generated errors and is being closed by windows and must be restarted, as an error message. However, Explorer self restarted with no loss of open documents, or did any application die. I did not get the Icon dump reported below. Running "shell://localhost" produced identical results. What I found most amusing is that I could only produce a problem if I had multiple instances of IE running. If only one instance of IE was running, all these commands seemed to do was produce a few seconds of screen flicker. Walter
-----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Rob Beneson Sent: Wednesday, May 31, 2000 2:14 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Win 2000 & IE 'shell://' problem? Well, just to let you know, I am running build 2195 (5.0.2195)of Win2k Advanced Server, with IE 5.00.2920.0000 and this didn't crash explorer. Allthough, IE wasn't very happy, and it dumped the icons in my tray, and tried to dump explorer alltogher, but explorer came right back up after a second of doubt along with half my tray icons! Go M$! Hope this can add to the info. Rob ----Original Message Follows---- From: Stephen John <spjohn () MAIL UTEXAS EDU> Reply-To: Stephen John <spjohn () MAIL UTEXAS EDU> To: VULN-DEV () SECURITYFOCUS COM Subject: Win 2000 & IE 'shell://' problem? Date: Tue, 30 May 2000 15:33:32 -0500 MIME-Version: 1.0 Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id MHotMailBAFDE93C0031D820F3DBCF7E7F44D4060; Tue May 30 22:08:12 2000 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid 8E87F1F12F; Tue, 30 May 2000 22:02:23 -0700 (PDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 10474837 for VULN-DEV () LISTS SECURITYFOCUS COM; Tue, 30 May 2000 22:02:12 -0700 Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 622EE1EED8 for <vuln-dev () lists securityfocus com>; Tue, 30 May 2000 13:37:03 -0700 (PDT) Received: (qmail 9116 invoked by alias); 30 May 2000 20:37:07 -0000 Received: (qmail 9113 invoked from network); 30 May 2000 20:37:06 -0000 Received: from devmail.dev.tivoli.com (208.230.244.136) by mail.securityfocus.com with SMTP; 30 May 2000 20:37:06 -0000 Received: from spjohn1 (spjohn1.dev.tivoli.com [146.84.25.74]) by devmail.dev.tivoli.com (8.9.1/8.8.8) with SMTP id PAA17382 for <vuln-dev () securityfocus com>; Tue, 30 May 2000 15:37:01 -0500 (CDT) From owner-vuln-dev () SECURITYFOCUS COM Tue May 30 22:10:50 2000 Approved-By: BlueBoar () THIEVCO COM Delivered-To: vuln-dev () lists securityfocus com Delivered-To: vuln-dev () securityfocus com X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Message-ID: <001001bfca76$52b63dd0$4a195492 () dev tivoli com> Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM> X-To: vuln-dev () securityfocus com I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol, and when any URL ie "shell://localhost" or just "shell://" is loaded IE crashes and brings explorer.exe down with it. I think this would cause a user who didnt know much to think that Win 2000 had crashed (of course killing the tasks iexplore.exe and explorer.exe then restarting explorer, will solve the problem). I don't think this is a huge security hole, but being able to crash explorer remotely is a security problem. This can be exploited via a <A href=shell://somehost>Kill explorer!></A> or if scripting is on, by embedding a onLoad="window.location='shell://localhost'" into the body tag. It takes about 5 seconds to crash IE/explorer, the IE window blinks a few times before the crash. I'm not sure what IE is trying to do here, but it is never sucsessful. I was able to reproduce this on 2 systems with Win 2000 Professional 5.00.2195, using IE 5.00.2920.0000. I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not see this behavior. Also Netscape does not seem to recognize shell:// as a valid protocol. Could anyone see if this problem is occurs on other version of NT/IE, or maybe is there is a better way to exploit it? Stephen John Student University of Texas Webmaster http://www.securityauditor.com ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Win 2000 & IE 'shell://' problem? Stephen John (May 30)
- Re: Win 2000 & IE 'shell://' problem? Tobias Paprotta aka friedbits (May 01)
- Re: Win 2000 & IE 'shell://' problem? Ilya (May 30)
- Re: Win 2000 & IE 'shell://' problem? vamp (May 30)
- <Possible follow-ups>
- Re: Win 2000 & IE 'shell://' problem? Silcock, Stephen (May 30)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 30)
- Re: Win 2000 & IE 'shell://' problem? Walter Williams (May 31)
- Re: Win 2000 & IE 'shell://' problem? bacano (May 31)
- Re: Win 2000 & IE 'shell://' problem? Fernando Cardoso (May 31)
- Re: Win 2000 & IE 'shell://' problem? netsec [davidv] (May 31)
- Re: Win 2000 & IE 'shell://' problem? Matthew King (May 31)
- Re: Win 2000 & IE 'shell://' problem? Stephen John (May 31)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 31)
- Re: Win 2000 & IE 'shell://' problem? Chris Hall (May 31)