|
Title:
|
Microsoft Windows Server 2003 "Shell Folders" Directory
Traversal Vulnerability
|
|
Date:
|
8 October 2003 (Last modified: 03 April, 2005)
|
|
Author:
|
Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]
penetration technique research site
[Advisories]
|
|
Vulnerable:
|
Windows Server 2003 (Internet Explorer 6.0)
|
|
MSKB:
|
KB829493 [Japanese
version only]
|
|
Bugtraq ID:
|
7826
|
|
Patch:
|
Windows
Server 2003 Service Pack 1
|
|
Overview:
|
Windows Server 2003 allows remote attacker to traverse "Shell
Folders" directories.
A remote attacker is able to gain
access to the path of the %USERPROFILE% folder without guessing
a target user name by this vulnerability.
ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"
|
|
Details:
|
Windows Server 2003 allows remote attacker to traverse "Shell
Folders" directories and access arbitrary files via "shell:[Shell
Folders]\..\" in a malicious link.
[Shell Folders]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders
AppData: "C:\Documents and Settings\%USERNAME%\Application
Data"
Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
Desktop:
"C:\Documents and Settings\%USERNAME%\Desktop"
Favorites:
"C:\Documents and Settings\%USERNAME%\Favorites"
NetHood:
"C:\Documents and Settings\%USERNAME%\NetHood"
Personal:
"C:\Documents and Settings\%USERNAME%\My Documents"
PrintHood:
"C:\Documents and Settings\%USERNAME%\PrintHood"
Recent:
"C:\Documents and Settings\%USERNAME%\Recent"
SendTo:
"C:\Documents and Settings\%USERNAME%\SendTo"
Start
Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
Templates:
"C:\Documents and Settings\%USERNAME%\Templates"
Programs:
"C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
Startup:
"C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
Local
Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
Local
AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application
Data"
Cache: "C:\Documents and Settings\%USERNAME%\Local
Settings\Temporary Internet Files"
History: "C:\Documents
and Settings\%USERNAME%\Local Settings\History"
My
Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My
Pictures"
Fonts: "C:\WINDOWS\Fonts"
My
Music: "C:\Documents and Settings\%USERNAME%\My Documents\My
Music"
My Video: "C:\Documents and Settings\%USERNAME%\My
Documents\My Videos"
CD Burning: "C:\Documents
and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\CD
Burning"
Administrative Tools: "C:\Documents
and Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"
|
|
Exploit code:
|
**************************************************
This exploit
reads %TEMP%\exploit.html.
You need to create it.
And click
on the malicious link.
**************************************************
Malicious link: Exploit
|
|
Workaround:
|
None.
|
|
Vendor status:
|
Microsoft was notified on 9 June 2003.
They plan to fix this
bug in a future service pack.
(This bug was corrected in Windows
Server 2003 Service Pack 1.)
Microsoft Knowledge Base(KB829493) [Japanese
version only]
|
|
Thanks:
|
Microsoft Security Response Center
Masaki Yamazaki (Japan
GTSC Security Response Team)
Youji Okuten (Japan GTSC Security
Response Team)
|
|
Similar vulnerability:
|
Microsoft
Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
|
Copyright(c) 2005 Eiji James Yoshida. All rights reserved
