[Fwd: Re: IE4 Custom Folder]

[hans () INTERNETSAT COM (Hans Waasdorp)]

Howdy all

A little addy: It works also in MSIE 5.0 Preview Release =)

-=[DynaMite]=-
--


                                      \\|//
                         _________ooO_(o"o)_OoO________
                        |              (_)             |
                        | Dad always thought laughter  |
 Hans Waasdorp          | was the best medicine, which |
 SysAdmin/Developer     | I guess is why several of us |
 Milcap Media Group SL  |   died of tuberculosis       |
                        |_________oooO_____Oooo________|
 hans () milcap com                  (  )/| | ( ,)
 http://195.10.26.93               \_) | | (_/  -=[DynaMite]=-
______________________________________\|w|,___________________


Marc wrote:
>                                   /------------------\
>                                    / eEye Security Team \
>                                  \--------------------/
>                                   \   www.eEye.com   /
>                                    ------------------
>                                              IE4 Custom Folders
>
> ---> Systems Affected
> Win9X/NT IE4.0 Customized Folders
>
> ---> Release Date
> October, 1 1998
>
> ---> Advisory Code
> IE4CustomFolders01
>
> ---> Problem
> Users with write access to a customized folder can replace the customized
> folder settings inserting their own "evil" files to execute code. This could
> be used to simply make a folder not viewable from inside a GUI view or on a
> potentially more dangerous note, execute code via activex controls. In the
> past having write access to a folder was a bad thing but still the most that
> could be done was replace an exe with a trojaned exe in hopes that the user
> runs the program. Now you can execute code when the user simply views a
> folder. Its common when you are doing security audits of NT networks to find
> remote systems with shared folders. Most of the time the shared folder's
> password is trivial to break or there is no password at all. We tested this
> hole on a Windows95 system with IE4.0 and a customized folder and IE
> security settings on high. It will most defiantly work on Windows98 because
> well IE4.0 is Windows98 heheh. As of releasing this advisory we have not
> tested NT systems but its a good bet it will work. Basically what happens
> when you customize a folder is two files are created, desktop.ini and a
> folder.htt. Folder.htt is the file that holds the HTML code to be displayed
> in the folders window when opened. We insert HTML code for an evil activex
> control inside folder.htt. When the user opens the folder the HTML code is
> read and the ocx is loaded. The ocx could share drive c to everyone or
> whatever. Check out the attached nerd.zip for an example that runs an exe
> which displays a funny little message.
>
> On a side note: To reproduce this for testing purposes create a folder then
> go to view, customize this folder. Then once your done unzip nerd.zip into
> the folder, close the window and reopen it. Should not be too hard to figure
> out. Also, the zip file has extra files that are not really essential to
> getting the code executed... yes, lazy is the word hehe.
>
> --------------------
> Marc
> marc () eEye com
> eEye Security Team
> http://www.eEye.com
> --------------------
>
> P.S.
> Viking/1.04 httpd, can be DoS'd by sending HEAD /(nice big string here)/
> HTTP/1.0.
> Viking isn't a major httpd but there might be the one or two out there using
> it.
>
>   --------------------------------------------------------------------------------
>                Name: nerd.zip
>    nerd.zip    Type: Zip Compressed Data (application/x-zip-compressed)
>            Encoding: base64