what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eeye.98-10-01.ie4_custom_folders

eeye.98-10-01.ie4_custom_folders
Posted Sep 23, 1999

eeye.98-10-01.ie4_custom_folders

SHA-256 | e358f1f0991f9c99805e7c8f0d2fcad32c0c7819573f5eb466cd11d9537ca419

eeye.98-10-01.ie4_custom_folders

Change Mirror Download

/------------------\
/ eEye Security Team \
\--------------------/
\ www.eEye.com /
------------------
IE4 Custom Folders

---> Systems Affected
Win9X/NT IE4.0 Customized Folders

---> Release Date
October, 1 1998

---> Advisory Code
IE4CustomFolders01

---> Problem
Users with write access to a customized folder can replace the customized
folder settings inserting their own "evil" files to execute code. This could
be used to simply make a folder not viewable from inside a GUI view or on a
potentially more dangerous note, execute code via activex controls. In the
past having write access to a folder was a bad thing but still the most that
could be done was replace an exe with a trojaned exe in hopes that the user
runs the program. Now you can execute code when the user simply views a
folder. Its common when you are doing security audits of NT networks to find
remote systems with shared folders. Most of the time the shared folder's
password is trivial to break or there is no password at all. We tested this
hole on a Windows95 system with IE4.0 and a customized folder and IE
security settings on high. It will most defiantly work on Windows98 because
well IE4.0 is Windows98 heheh. As of releasing this advisory we have not
tested NT systems but its a good bet it will work. Basically what happens
when you customize a folder is two files are created, desktop.ini and a
folder.htt. Folder.htt is the file that holds the HTML code to be displayed
in the folders window when opened. We insert HTML code for an evil activex
control inside folder.htt. When the user opens the folder the HTML code is
read and the ocx is loaded. The ocx could share drive c to everyone or
whatever. Check out the attached nerd.zip for an example that runs an exe
which displays a funny little message.

On a side note: To reproduce this for testing purposes create a folder then
go to view, customize this folder. Then once your done unzip nerd.zip into
the folder, close the window and reopen it. Should not be too hard to figure
out. Also, the zip file has extra files that are not really essential to
getting the code executed... yes, lazy is the word hehe.

--------------------
Marc
marc@eEye.com
eEye Security Team
http://www.eEye.com
--------------------

P.S.
Viking/1.04 httpd, can be DoS'd by sending HEAD /(nice big string here)/
HTTP/1.0.
Viking isn't a major httpd but there might be the one or two out there using
it.

[Part 2, Application/X-ZIP-COMPRESSED 22KB]
[Unable to print this part]

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close