Title: ~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability [http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html] Date: ~~~~~~~~~~~~~~~~~~~~~~~ 8 October 2003 Author: ~~~~~~~~~~~~~~~~~~~~~~~ Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp] Vulnerable: ~~~~~~~~~~~~~~~~~~~~~~~ Windows Server 2003 (Internet Explorer 6.0) Overview: ~~~~~~~~~~~~~~~~~~~~~~~ Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories. A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this vulnerability. ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%" Details: ~~~~~~~~~~~~~~~~~~~~~~~ Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories and access arbitrary files via "shell:[Shell Folders]\..\" in a malicious link. [Shell Folders] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData: "C:\Documents and Settings\%USERNAME%\Application Data" Cookies: "C:\Documents and Settings\%USERNAME%\Cookies" Desktop: "C:\Documents and Settings\%USERNAME%\Desktop" Favorites: "C:\Documents and Settings\%USERNAME%\Favorites" NetHood: "C:\Documents and Settings\%USERNAME%\NetHood" Personal: "C:\Documents and Settings\%USERNAME%\My Documents" PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood" Recent: "C:\Documents and Settings\%USERNAME%\Recent" SendTo: "C:\Documents and Settings\%USERNAME%\SendTo" Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu" Templates: "C:\Documents and Settings\%USERNAME%\Templates" Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs" Startup: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup" Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings" Local AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data" Cache: "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files" History: "C:\Documents and Settings\%USERNAME%\Local Settings\History" My Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My Pictures" Fonts: "C:\WINDOWS\Fonts" My Music: "C:\Documents and Settings\%USERNAME%\My Documents\My Music" My Video: "C:\Documents and Settings\%USERNAME%\My Documents\My Videos" CD Burning: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\CD Burning" Administrative Tools: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Administrative Tools" Exploit code: ~~~~~~~~~~~~~~~~~~~~~~~ ************************************************** This exploit reads %TEMP%\exploit.html. You need to create it. And click on the malicious link. ************************************************** Malicious link: Exploit Workaround: ~~~~~~~~~~~~~~~~~~~~~~~ None. Vendor Status: ~~~~~~~~~~~~~~~~~~~~~~~ Microsoft was notified on 9 June 2003. They plan to fix this bug in a future service pack. Microsoft Knowledge Base(KB829493) [http://support.microsoft.com/default.aspx?scid=829493] Thanks: ~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Security Response Center Masaki Yamazaki (Japan GTSC Security Response Team) Youji Okuten (Japan GTSC Security Response Team) Similar vulnerability: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability [http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html] ------------------------------------------------------------- Eiji James Yoshida penetration technique research site E-mail: ptrs-ejy@bp.iij4u.or.jp URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm -------------------------------------------------------------