ADVISORY: Windows Shell Overflow

From: Marc Maiffret (marc@EEYE.COM)
Date: 03/12/02

Date:         Mon, 11 Mar 2002 18:32:49 -0800
From: Marc Maiffret <marc@EEYE.COM>

Windows Shell Overflow

Release Date:
March 8, 2002


Systems Affected:
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000

There exists a buffer overflow vulnerability within the Windows Shell that
can lead to execution of malicious code. The vulnerability exists in how
the Windows Shell manipulates URL handlers that point to programs that do
not exist.

The Windows Shell exposes functionality to allow developers to write their
own custom URL handlers. For example programs such as, ICQ, AIM, MS
Conference, mIRC, Windows Media Player, Outlook/Express, etc... install
their own custom URL handlers so that functionality can be passed from a
URL to a program.

So for example we could write a custom URL handler called "eeye" and then
anytime someone performed a request for eeye://data the data would be
passed to whatever program was written to handle the eeye URL.

Now the problem arises when a URL handler has been mapped, in the system
registry, to a program that does not exist.

For example AOL Instant Messenger installs a URL handler to
HKEY_CLASSES_ROOT\aim. The reason we know AIM is a URL handler is because
of the existence of the key "URL Protocol" tells the windows shell that Aim
is a URL handler.

By enumerating the registry for "URL Protocol" keys we can determine all of
the installed URL handlers.

Next we identify a URL handler that is installed yet mapped to a
non-existent program.

The mapping to the URL handler is in the form of:
HKEY_CLASSES_ROOT\urlhandler\shell\open\command and whatever executable is
pointed to by (Default) is the executable to handle that specific URL.

As stated the vulnerability is within the Windows Shell code that handles
URL's that point to a non-existent URL handler.

So if the AIM handler (HKEY_CLASSES_ROOT\aim\shell\open\command) was
pointing to a file that did not exist then that URL handler could be
exploited via a buffer overflow in the data passed to the URL handler.

For example: aim://overflow
Where overflow is 324 or so bytes. At this point we take control of EIP and
can control the flow of execution within the program. Which means we can
make our victim execute any code we wish.

It is very important to clarify there is no problem within AIM or the URL
handler program itself. The problem lies within vulnerable code within the
Microsoft Windows Shell.

Reasons for certain URL handlers becoming exploitable could be, a program is
uninstalled and the uninstaller does not cleanly remove the mapping in the
registry, or a user deletes the program folder which leaves the URL mapping
to a invalid file.

On a default installation of Windows the buffer overflow does exist although
exploiting it is impossible because there are no default URL handlers
pointing to a file that doesn't exist. However over time after programs are
installed and removed a system will become vulnerable.

This vulnerability is a local vulnerability although because of the
integrated nature of windows it is possible to exploit this vulnerability
remotely using any program that supports URL. For example we could email
this attack URL within an Outlook email or we could put this attack URL
within an "evil web page" and then get users to visit the web page. There
are many different ways to remotely make a system process these "evil
URL's" in order to gain control.

When you exploit this vulnerability, locally or remotely, your code will
execute with the permissions of that of the user being attacked. So if the
user executing this evil URL is Administrator then your attack code will
execute as Administrator.

There are a few variables to a system being vulnerable to this buffer
overflow however we still encourage users to install the Microsoft patch as
soon as possible.

Vendor Status:
Microsoft has released a patch and security bulletin which is located at:

CVE ID: CAN-2002-0070
This is a candidate for inclusion in the CVE list which
standardizes names for security problems.

Marc Maiffret

Related Links:

Mr. Self Destruct and his Lollipop

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent
of eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail for

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Please send suggestions, updates, and comments to:

eEye Digital Security