Vulnerability Development mailing list archives

RE: Winnt/Win2k Vuln ?

From: "Thomas Reagan" <treagan () interactiveedge com>
Date: Fri, 10 Aug 2001 14:55:01 -0400

I don't know how don't see this as a vulnerability.  On Unix, they
specifically design shells to not execute programs outside the path to avoid
the issue.  It would be very easy to steal admin rights using some scripts
and a nice e-mail to your friendly admin with a cool file for his desktop.

Further, you are incorrect that the file is renamed www.google.com.BAT - I
have extensions turned on so that this file is in fact www.google.com.

MS should fix this.

--Tom

-----Original Message-----
From: Enrique A. Compaq Gzz. [mailto:enrique () virtekweb net]
Sent: Thursday, August 09, 2001 3:25 PM
To: Red Pantz; vuln-dev () securityfocus com
Subject: Re: Winnt/Win2k Vuln ?


Not exactly an issue....

because when you rename "autoexec.bat" to "www.google.com", what you
realy get is "www.google.com.BAT"
When you tipe "www.google.com" in the IE address bar, the file placed in
your desktop
get executed... (you can type the name of other files you have there,
without extension and they get
executed as well).

I think this is not a bug, but a non-smart feature, THAT CAN BE exploited.
for example, use any IE bug to create a file in your desktop, but name the
file to, say "www.yahoo.com.BAT" ...
When the user goes to www.yahoo.com.... bewm!!! the file gets executed.

 -- Enrique A. Compaq Gzz.
     Virtek Net Security

----- Original Message -----
From: "Red Pantz" <redpantz () crackdealer com>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, August 08, 2001 4:17 PM
Subject: Winnt/Win2k Vuln ?

Hello all,

I have found that if you name a file (can be any data file) a certain URL,

on your desktop, and then g0 to IE and type that url, the web site will not
come up, only the program that was named the certain.confusing?


i.e.

- copy autoexec.bat to ..\desktop
- rename autoexec.bat to www.google.com (can be any url)
- then go to IE and type "www.google.com"
- your batch file is then ran

a few issues i have w/ this is:

- the prog will only run if it is on your desktop
- if you type "http://www.google.com";, for example
  it will not run(unless u name your file the same thing)
- it has only been tested on Win2k SP1, Winnt 4.0 SP6a w/ IE 5.5
- it doesn't seem to have any privelage escalation (all progs are run as

the current user logged on)


Just want a few others to try it and see wut they think

thanx alot
redpantz

------------------------------------------------------------
[- Get your own free e-mail @ http://www.crackdealer.com -]

Current thread:

Winnt/Win2k Vuln ? Red Pantz (Aug 09)
- Re: Winnt/Win2k Vuln ? Mike Duncan (Aug 10)
  - RE: Winnt/Win2k Vuln ? Jeremy Rodriguez (Aug 10)
- Re: Winnt/Win2k Vuln ? Enrique A. Compañ Gzz. (Aug 10)
  - RE: Winnt/Win2k Vuln ? Thomas Reagan (Aug 10)
    - Re: Winnt/Win2k Vuln ? Thor (Aug 10)
- Re: Winnt/Win2k Vuln ? Felipe Franciosi (Aug 10)
- Re: Winnt/Win2k Vuln ? sween (Aug 10)
- Re: Winnt/Win2k Vuln ? Vulnerability Development (Aug 10)
- Re: Winnt/Win2k Vuln ? Kaneda Akira (Aug 10)
- Re: Winnt/Win2k Vuln ? Rio Martin. (Aug 10)
  - Re: Winnt/Win2k Vuln ? Kevin Gagel (Aug 10)
    - Re: Winnt/Win2k Vuln ? Fab Siciliano (Aug 10)
    - Re: Winnt/Win2k Vuln ? sween (Aug 10)
  - Re: Winnt/Win2k Vuln ? J.D. Meek (Aug 10)

(Thread continues...)