|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Internet Explorer & Explorer.exe Vendors: http://www.microsoft.com Versions: Windows Xp Professional & Internet Explorer 6.0.2600.0000.xpclnt_qfe.021108-2107 Patched With: Q330994; Q822925; Q828750; Q824145; Platforms: WindowsXp Bug: Internet Explorer Causing Explorer.exe - Null Pointer Crash Risk: Medium - D.O.S Exploitation: Remote with browser Date: 19 Mar 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== WindowsXp is currently the most common operating system in the world. This product must be as safe as it is common. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== Lately a new function was discovered : "shell:". This function allows running some new functions remotley. There is a bug in Explorer.exe when accessing a filename with double backslash. For Example accessing any of the html tags below, will cause explorer to crash. Or Or Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe Explorer.exe crashes when using "\\". "\" doesn't crash it and even %5C%5C doesn't crash it. There is a registery key which is turned on by default. This key automatically restarts "Explorer.exe". If this key is set to "0", Explorer.exe will not restart. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "AutoRestartShell"=dword:00000001 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== Or Or Paste at [Start Menu]-->[Run] --> shell:windows\\system32\\calc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Things that are unlikeable, are NOT impossible."