|
This is an issue that I submitted to Microsoft yesterday morning. I was
going to wait to hear from them before submitting this NTBugTraq, but when
(only several hours later) when I saw Georgi Guninski's Customized Folders
issue I felt that I had better "stake my claim" to this issue before he or
someone else finds it! Please do not post this email until I hear from MS,
as I am giving them the option to produce a patch (if they feel that it is
warranted) before disclosing. Thanks.
-----------------------CUT HERE-----------------------------
I found a problem with the way that Explorer handles Custom Folders that
could be used to execute arbitrary commands under the security context of an
unknowing user.
If you use Web View and customize a folder, a desktop.ini and a "Folder
Settings" folder are created. The desktop.ini "PersistMoniker" line
specifies the .htt file to use to create the view. This view is rendered in
the "Local Intranet" zone, so only controls marked "Safe for scripting" can
be used. The problem is that you can tell desktop.ini to use an .hta file
instead, which does not operate in a security sandbox. The desktop.ini file
inherits the same ACL as the directory, so a user that has write access to a
folder will also have write access to desktop.ini.
Here's one obvious example of how this vulnerability can be exploited: A
popular share exists on a file server. Joe User (a Domain User) has change
access to this share. He customizes the folder and create a .hta that tries
to add him or her to the Domain Admins group (via NET USER or ADSI,
whatever). He or she modifies the desktop.ini to point to the .hta a waits
for a Domain Admin (with Web View enabled) to browse to the share. A problem
with this exploit is that the window that is supposed to display the
contents of the share does not get updated, but if you wanted to you could
write code to update the windows properly just like the original folder.htt
does.
I tested this on Windows 2000 Server & Pro with and without SP1, on IE 5.0 &
5.5, and with all the latest security patches. There may be other "bad"
extensions other than .hta that work, but I tried .cmd, .bat, and .wsf
without success.
----------------------------------------------------------------------------
Delivery co-sponsored by eEye Digital Security
============================================================================
Vulnerability Is Over ... eEye Digital Security Announces Retina(tm)
Retina, the unparalleled network security product that scans, monitors,
alerts, and automatically fixes network security vulnerabilities. Retina
includes an auto-update feature providing continuous update of its modules,
allowing users to keep pace with the latest security vulnerabilities.
Retina, the first network security software that works like an
around-the-clock human network security analyst. Available for download;
<http://www.eeye.com/click.asp?referrer=ntbugtraq1&P;=retina>
----------------------------------------------------------------------------
|
