ms2k3traversal.txt

`Title:  
~~~~~~~~~~~~~~~~~~~~~~~  
Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability  
[http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html]  
  
  
Date:  
~~~~~~~~~~~~~~~~~~~~~~~  
8 October 2003  
  
  
Author:  
~~~~~~~~~~~~~~~~~~~~~~~  
Eiji James Yoshida [[email protected]]  
  
  
Vulnerable:  
~~~~~~~~~~~~~~~~~~~~~~~  
Windows Server 2003 (Internet Explorer 6.0)  
  
  
Overview:  
~~~~~~~~~~~~~~~~~~~~~~~  
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories.  
A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this  
vulnerability.  
  
ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"  
  
  
Details:  
~~~~~~~~~~~~~~~~~~~~~~~  
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories and access arbitrary files via "shell:[Shell  
Folders]\..\" in a malicious link.  
  
[Shell Folders]  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders  
AppData: "C:\Documents and Settings\%USERNAME%\Application Data"  
Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"  
Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"  
Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"  
NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"  
Personal: "C:\Documents and Settings\%USERNAME%\My Documents"  
PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"  
Recent: "C:\Documents and Settings\%USERNAME%\Recent"  
SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"  
Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"  
Templates: "C:\Documents and Settings\%USERNAME%\Templates"  
Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"  
Startup: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"  
Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"  
Local AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data"  
Cache: "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files"  
History: "C:\Documents and Settings\%USERNAME%\Local Settings\History"  
My Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My Pictures"  
Fonts: "C:\WINDOWS\Fonts"  
My Music: "C:\Documents and Settings\%USERNAME%\My Documents\My Music"  
My Video: "C:\Documents and Settings\%USERNAME%\My Documents\My Videos"  
CD Burning: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\CD Burning"  
Administrative Tools: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"  
  
  
Exploit code:  
~~~~~~~~~~~~~~~~~~~~~~~  
**************************************************  
This exploit reads %TEMP%\exploit.html.  
You need to create it.  
And click on the malicious link.  
**************************************************  
  
Malicious link:  
<a href="shell:cache\..\..\Local Settings\Temp\exploit.html">Exploit</a>  
  
  
Workaround:  
~~~~~~~~~~~~~~~~~~~~~~~  
None.  
  
  
Vendor Status:  
~~~~~~~~~~~~~~~~~~~~~~~  
Microsoft was notified on 9 June 2003.  
They plan to fix this bug in a future service pack.  
  
Microsoft Knowledge Base(KB829493)  
[http://support.microsoft.com/default.aspx?scid=829493]  
  
  
Thanks:  
~~~~~~~~~~~~~~~~~~~~~~~  
Microsoft Security Response Center  
Masaki Yamazaki (Japan GTSC Security Response Team)  
Youji Okuten (Japan GTSC Security Response Team)  
  
  
Similar vulnerability:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability  
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]  
  
  
-------------------------------------------------------------  
Eiji James Yoshida  
penetration technique research site  
E-mail: [email protected]  
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm  
-------------------------------------------------------------  
`