[NT] IE 'Folder View for FTP sites' Script Execution Vulnerability

From: support@securiteam.com
Date: 06/09/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  9 Jun 2002 20:39:17 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  IE 'Folder View for FTP sites' Script Execution Vulnerability
------------------------------------------------------------------------

SUMMARY

IE allows running malicious scripts and commands due to a bug in the
handling of "Folder View for FTP sites" feature. If you enable both the
"Enable folder view for FTP sites" in IE's advanced setting and the
"Enable Web content in folders" in Explorer's folder options, the script
embedded in FTP Server Address can be caused to execute (Both options are
set to "Enable" in the default installation).

DETAILS

Vulnerable systems:
 * Internet Explorer version 5.5 SP1
 * Internet Explorer version 5.5 SP2
 * Internet Explorer version 6.0

The problem is in FTP.HTT invoked by the 'folder view for FTP sites'
feature. ( %SystemRoot%\WEB\FTP.HTT )

- --------------------FTP.HTT--------------------
35: <BASE href="%THISDIRPATH%\">
- -----------------------------------------------

This '%THISDIRPATH%' is not escaped.

Example 1:
[ ftp://TARGET ]
    '%THISDIRPATH%' = 'ftp://TARGET/'
    <BASE href="ftp://TARGET/\">
                ~~~~~~~~~~~~~

Example 2:
[ ftp://"><script>alert("Exploit");</script> ]
    '%THISDIRPATH%' = 'ftp://"><script>alert("Exploit");</script>/'
    <BASE href="ftp://"><script>alert("Exploit");</script>/\">
                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exploit code:
<a
href="ftp://%22%3e%3cscript%3ealert(%22Exploit%22)%3b%3c%2fscript%3e%20"
target="_blank">Exploit</a>

Demonstration:
A demonstration page is available at:
<http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html>
http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html

A command execution page is available at:
 <http://jscript.dk/Jumper/xploit/ftpfolderview.html>
http://jscript.dk/Jumper/xploit/ftpfolderview.html

Workaround:
Disable either 'Enable folder view for FTP sites' IE Advanced Setting or
'Enable Web content in folders' Explorer Folder Option.

Vendor status:
Microsoft was notified on 21 December 2001.

ADDITIONAL INFORMATION

The information has been provided by <mailto:zad***@geocities.co.jp> Eiji
James Yoshida and <mailto:Thor@jubii.dk> Thor Larholm.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.