Vulnerability Development mailing list archives

Re: Win 2000 & IE 'shell://' problem?

From: netsec () GFI COM (netsec [davidv])
Date: Wed, 31 May 2000 16:12:06 +0200

I tested it on NT4 IE5: 5.00.2314.1003

did not crash

-----Original Message-----
From: Stephen John [mailto:spjohn () MAIL UTEXAS EDU]
Sent: Tuesday, May 30, 2000 10:34 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Win 2000 & IE 'shell://' problem?

I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol,
and when any URL ie "shell://localhost" or just "shell://" is loaded IE
crashes and brings explorer.exe down with it.  I think this would cause a
user who didnt know much to think that Win 2000 had crashed (of course
killing the tasks iexplore.exe and explorer.exe then restarting explorer,
will solve the problem).

I don't think this is a huge security hole, but being able to crash explorer
remotely is a security problem.

This can be exploited via a                 <A href=shell://somehost>Kill
explorer!></A>
or if scripting is on, by embedding a
onLoad="window.location='shell://localhost'"
into the body tag.
It takes about 5 seconds to crash IE/explorer, the IE window blinks a few
times before the crash.  I'm not sure what IE is trying to do here, but it
is never sucsessful.

I was able to reproduce this on 2 systems with Win 2000 Professional
5.00.2195, using IE 5.00.2920.0000.
I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not
see this behavior.
Also Netscape does not seem to recognize shell:// as a valid protocol.

Could anyone see if this problem is occurs on other version of NT/IE, or
maybe is there is a better way to exploit it?

Stephen John
Student  University of Texas
Webmaster  http://www.securityauditor.com <http://www.securityauditor.com>

This disclaimer was sent by Mail essentials for Exchange/SMTP.
Mail essentials adds content checking of inbound and outbound mail,
PGP email encryption, disclaimers, anti virus, anti spam, mail
archiving outbound mail compression, personalised auto replies
and more to Exchange server!

More information on http://www.gficomms.com/mesindex.htm

To send us secure email, use our PGP key below. Mail essentials will
automatically decrypt your message at our Exchange server.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQBtAze7peIAAAEDAMI1Yd0d6Yox5qVaoDpbMXR9/alPxkXW+My+d95oFx4AxjI/
FGOkBb12hrMsrZrH7Ljm0C3Ek5PUlrV+5XTItehzVF5I0NJzAfmqQvmOwSTHD91M
QzCgD9TpVyBS1JkdcwAFEbQhR0ZJIEZBWCAmIFZPSUNFIDxpbmZvQGdmaWZheC5j
b20+iQB1AwUQN7ul4ulXIFLUmR1zAQHDNQL+OOyhr1+T7irwJNfUI4AX8c9CakPU
h9GkdwxdgrfmMAXjxZvQzZqsgpGe4z2SjWA3nBJS8nvLetb6L8dOmNenfH2/3Ar/
XoLIrLfK7APVcctSBiiA56Q4Gnnl+FQO6oYq
=ZmhW
-----END PGP PUBLIC KEY BLOCK-----

Current thread:

Win 2000 & IE 'shell://' problem? Stephen John (May 30)
- Re: Win 2000 & IE 'shell://' problem? Tobias Paprotta aka friedbits (May 01)
- Re: Win 2000 & IE 'shell://' problem? Ilya (May 30)
- Re: Win 2000 & IE 'shell://' problem? vamp (May 30)
- <Possible follow-ups>
- Re: Win 2000 & IE 'shell://' problem? Silcock, Stephen (May 30)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 30)
  - Re: Win 2000 & IE 'shell://' problem? Walter Williams (May 31)
  - Re: Win 2000 & IE 'shell://' problem? bacano (May 31)
- Re: Win 2000 & IE 'shell://' problem? Fernando Cardoso (May 31)
- Re: Win 2000 & IE 'shell://' problem? netsec [davidv] (May 31)
- Re: Win 2000 & IE 'shell://' problem? Matthew King (May 31)
  - Re: Win 2000 & IE 'shell://' problem? Stephen John (May 31)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 31)
- Re: Win 2000 & IE 'shell://' problem? Chris Hall (May 31)