Lucene search
K

ms2k3traversal.txt

🗓️ 09 Oct 2003 00:00:00Reported by Eiji James YoshidaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 22 Views

Microsoft Windows Server 2003 allows directory traversal through Shell Folders vulnerability.

Code
`Title:  
~~~~~~~~~~~~~~~~~~~~~~~  
Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability  
[http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html]  
  
  
Date:  
~~~~~~~~~~~~~~~~~~~~~~~  
8 October 2003  
  
  
Author:  
~~~~~~~~~~~~~~~~~~~~~~~  
Eiji James Yoshida [[email protected]]  
  
  
Vulnerable:  
~~~~~~~~~~~~~~~~~~~~~~~  
Windows Server 2003 (Internet Explorer 6.0)  
  
  
Overview:  
~~~~~~~~~~~~~~~~~~~~~~~  
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories.  
A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this  
vulnerability.  
  
ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"  
  
  
Details:  
~~~~~~~~~~~~~~~~~~~~~~~  
Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories and access arbitrary files via "shell:[Shell  
Folders]\..\" in a malicious link.  
  
[Shell Folders]  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders  
AppData: "C:\Documents and Settings\%USERNAME%\Application Data"  
Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"  
Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"  
Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"  
NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"  
Personal: "C:\Documents and Settings\%USERNAME%\My Documents"  
PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"  
Recent: "C:\Documents and Settings\%USERNAME%\Recent"  
SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"  
Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"  
Templates: "C:\Documents and Settings\%USERNAME%\Templates"  
Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"  
Startup: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"  
Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"  
Local AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data"  
Cache: "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files"  
History: "C:\Documents and Settings\%USERNAME%\Local Settings\History"  
My Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My Pictures"  
Fonts: "C:\WINDOWS\Fonts"  
My Music: "C:\Documents and Settings\%USERNAME%\My Documents\My Music"  
My Video: "C:\Documents and Settings\%USERNAME%\My Documents\My Videos"  
CD Burning: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\CD Burning"  
Administrative Tools: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"  
  
  
Exploit code:  
~~~~~~~~~~~~~~~~~~~~~~~  
**************************************************  
This exploit reads %TEMP%\exploit.html.  
You need to create it.  
And click on the malicious link.  
**************************************************  
  
Malicious link:  
<a href="shell:cache\..\..\Local Settings\Temp\exploit.html">Exploit</a>  
  
  
Workaround:  
~~~~~~~~~~~~~~~~~~~~~~~  
None.  
  
  
Vendor Status:  
~~~~~~~~~~~~~~~~~~~~~~~  
Microsoft was notified on 9 June 2003.  
They plan to fix this bug in a future service pack.  
  
Microsoft Knowledge Base(KB829493)  
[http://support.microsoft.com/default.aspx?scid=829493]  
  
  
Thanks:  
~~~~~~~~~~~~~~~~~~~~~~~  
Microsoft Security Response Center  
Masaki Yamazaki (Japan GTSC Security Response Team)  
Youji Okuten (Japan GTSC Security Response Team)  
  
  
Similar vulnerability:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability  
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]  
  
  
-------------------------------------------------------------  
Eiji James Yoshida  
penetration technique research site  
E-mail: [email protected]  
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm  
-------------------------------------------------------------  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation