Vulnerability Development mailing list archives

Re: Win 2000 & IE 'shell://' problem?

From: spjohn () MAIL UTEXAS EDU (Stephen John)
Date: Wed, 31 May 2000 11:42:57 -0500

I noticed a few more things when playing around with this. Using "shell:" seems to work just as well as "shell://",
but produces slightly different information in the drwatson log. Also I only get the drwatson log when I am not
runnning as administrator (don't know if that is normal or not).

From what I noticed, and from what other people said, almost all of the time explorer will restart on its own, and
does not need to be restarted manually.

Can anyone think of any way this can be exploited to do something more than just crash explorer?

Stephen John

Student University of Texas

Admin http://www.securityauditor.com

-----Original Message-----
From: Stephen John [mailto:spjohn () MAIL UTEXAS EDU]
Sent: Wednesday, 31 May 2000 6:34 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Win 2000 & IE 'shell://' problem?

I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol, and when any URL ie "shell://localhost" or
just "shell://" is loaded IE crashes and brings explorer.exe down with it. I think this would cause a user who didnt
know much to think that Win 2000 had crashed (of course killing the tasks iexplore.exe and explorer.exe then restarting
explorer, will solve the problem).

I don't think this is a huge security hole, but being able to crash explorer remotely is a security problem.

This can be exploited via a <A href=shell://somehost>Kill explorer!></A>

or if scripting is on, by embedding a onLoad="window.location='shell://localhost'"

into the body tag.

It takes about 5 seconds to crash IE/explorer, the IE window blinks a few times before the crash. I'm not sure what
IE is trying to do here, but it is never sucsessful.

I was able to reproduce this on 2 systems with Win 2000 Professional 5.00.2195, using IE 5.00.2920.0000.

I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not see this behavior.

Also Netscape does not seem to recognize shell:// as a valid protocol.

Could anyone see if this problem is occurs on other version of NT/IE, or maybe is there is a better way to exploit it?

Stephen John

Student University of Texas

Webmaster http://www.securityauditor.com

Current thread:

Re: Win 2000 & IE 'shell://' problem?, (continued)
- Re: Win 2000 & IE 'shell://' problem? Tobias Paprotta aka friedbits (May 01)
- Re: Win 2000 & IE 'shell://' problem? Ilya (May 30)
- Re: Win 2000 & IE 'shell://' problem? vamp (May 30)
- Re: Win 2000 & IE 'shell://' problem? Silcock, Stephen (May 30)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 30)
  - Re: Win 2000 & IE 'shell://' problem? Walter Williams (May 31)
  - Re: Win 2000 & IE 'shell://' problem? bacano (May 31)
- Re: Win 2000 & IE 'shell://' problem? Fernando Cardoso (May 31)
- Re: Win 2000 & IE 'shell://' problem? netsec [davidv] (May 31)
- Re: Win 2000 & IE 'shell://' problem? Matthew King (May 31)
  - Re: Win 2000 & IE 'shell://' problem? Stephen John (May 31)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 31)
- Re: Win 2000 & IE 'shell://' problem? Chris Hall (May 31)