Vulnerability Development mailing list archives
Re: Win 2000 & IE 'shell://' problem?
From: allgood () PHYSICS UCSC EDU (vamp)
Date: Tue, 30 May 2000 23:25:23 -0700
Doesn't happen with IE 5.00.2919.6307 on NT 4.0 Build 1381. On Tue, 30 May 2000, Stephen John wrote:
I found that IE 5 running Win 2000 accepts "shell://" as a legal protocol, and when any URL ie "shell://localhost" or just "shell://" is loaded IE crashes and brings explorer.exe down with it. I think this would cause a user who didnt know much to think that Win 2000 had crashed (of course killing the tasks iexplore.exe and explorer.exe then restarting explorer, will solve the problem). I don't think this is a huge security hole, but being able to crash explorer remotely is a security problem. This can be exploited via a <A href=shell://somehost>Kill explorer!></A> or if scripting is on, by embedding a onLoad="window.location='shell://localhost'" into the body tag. It takes about 5 seconds to crash IE/explorer, the IE window blinks a few times before the crash. I'm not sure what IE is trying to do here, but it is never sucsessful. I was able to reproduce this on 2 systems with Win 2000 Professional 5.00.2195, using IE 5.00.2920.0000. I tested this on a Win 98 Machine running IE 5.00.2919.6307 and I did not see this behavior. Also Netscape does not seem to recognize shell:// as a valid protocol. Could anyone see if this problem is occurs on other version of NT/IE, or maybe is there is a better way to exploit it? Stephen John Student University of Texas Webmaster http://www.securityauditor.com
^o^ Vampire ^o^ ^o^ "the inside of a computer is as dumb as hell, but it goes like mad!" --Richard Feynmann ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ email: allgood () physics ucsc edu Tele: (1) 831-251-0667 web: http://physics.ucsc.edu/~allgood/ snail mail: UCSC, Physics Dept. Santa Cruz, CA 95064 USA ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^
Current thread:
- Win 2000 & IE 'shell://' problem? Stephen John (May 30)
- Re: Win 2000 & IE 'shell://' problem? Tobias Paprotta aka friedbits (May 01)
- Re: Win 2000 & IE 'shell://' problem? Ilya (May 30)
- Re: Win 2000 & IE 'shell://' problem? vamp (May 30)
- <Possible follow-ups>
- Re: Win 2000 & IE 'shell://' problem? Silcock, Stephen (May 30)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 30)
- Re: Win 2000 & IE 'shell://' problem? Walter Williams (May 31)
- Re: Win 2000 & IE 'shell://' problem? bacano (May 31)
- Re: Win 2000 & IE 'shell://' problem? Fernando Cardoso (May 31)
- Re: Win 2000 & IE 'shell://' problem? netsec [davidv] (May 31)
- Re: Win 2000 & IE 'shell://' problem? Matthew King (May 31)
- Re: Win 2000 & IE 'shell://' problem? Stephen John (May 31)
- Re: Win 2000 & IE 'shell://' problem? Rob Beneson (May 31)
- Re: Win 2000 & IE 'shell://' problem? Chris Hall (May 31)