Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Windows File Selection May Lead to Command Execution

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Windows File Selection May Lead to Command Execution
Date: 21 Apr 2005 16:15:38 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Windows File Selection May Lead to Command Execution
------------------------------------------------------------------------


SUMMARY

When the preview pane outputs the document's author name, it checks 
whether the name resembles an email address, and if so, transforms it into 
a 'mailto:' link in the pane. The transformation into a link does not 
filter potentially dangerous characters and makes it possible to inject 
attributes into the link, which enables execution of arbitrary script 
commands.

DETAILS

Vulnerable Systems:
 * Windows Explorer on Windows 2000 Professional
 * Windows Explorer on Windows 2000 Server
 * Windows Explorer on Windows 2000 Advanced Server

Note that any other application that uses the Web View DLL under Windows 
2000 is affected as well.

Introduction:
Windows Explorer is used to navigate through the Windows file system by 
default.

Windows Explorer includes a preview pane (Web view), which displays 
information on some types of files when they become selected. The preview 
pane is enabled by default on all Windows 2000 systems.

The preview pane is implemented via an HTML resource file (in webvw.dll), 
which examines the currently selected file, reads its metadata and 
displays useful information about it. Such information includes the file's 
size, attributes, modification date, author and more.

Script commands that are injected in this manner will execute as soon as 
the malicious file is selected in Windows Explorer and will be executed in 
a trusted context, which means they will have the ability to perform any 
action the currently logged on user can perform. This includes reading, 
deleting and writing files, as well as executing arbitrary commands.

Notice that the malicious file does not need to be executed in order to 
activate the exploit, double-clicking is not required. The exploitation 
takes place as soon as the file is selected.

The code below is an excerpt from one of the vulnerable resources. In this 
instance 'safeData' has not been filtered properly, and may contain the 
apostrophe (') character, allowing for attribute termination in the 
resulting HTML:

text += "<p>" + title + ": <a href='mailto:"; + safeData + "'>" + safeData 
+ "</a>";

Exploit:
When setting the author field of a file (for example, a Word document) to 
the following value:
a@b' style='background-image:url(javascript:alert("Successful 
injection!"))'

Windows Explorer will display a message box as soon as the file is 
selected.

This vulnerability can also be exploited by directing the user to an 
attacker controlled SMB share, the user will then need to select the file 
in order to activate the exploit.

Demonstration:
GreyMagic has put together three proof-of-concept demonstrations:
 * Simple: As shown in the exploit section, displays a simple message box 
when selected.
 * Copy me: Automatically copies itself to the same folder when selected.
 * Bo Selecta: Constantly renames itself when selected.

They may be accessed at:  
<http://security.greymagic.com/security/advisories/gm015-ie/> 
http://security.greymagic.com/security/advisories/gm015-ie/

Solution:
Until a patch becomes available, disable the Web View by going to: Tools 
-> Folder Options -> Select 'Use Windows classic folders'.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:security@greymagic.com> 
GreyMagic Security.
The original article can be found at:  
<http://www.greymagic.com/security/advisories/gm015-ie/> 
http://www.greymagic.com/security/advisories/gm015-ie/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [NEWS] SQL Injection in CREATE_SCN_CHANGE_SET Procedure, SecuriTeam
Next by Date:  [NEWS] Neslo Desktop Rover Remote DoS, SecuriTeam
Previous by Thread:  [NEWS] SQL Injection in CREATE_SCN_CHANGE_SET Procedure, SecuriTeam
Next by Thread:  [NT] Windows File Selection May Lead to Command Execution, support
Indexes:  [Date] [Thread] [Top] [All Lists]