Title:

Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability

Date:

8 October 2003 (Last modified: 03 April, 2005)

Author:

Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]
penetration technique research site [Advisories]

Vulnerable:

Windows Server 2003 (Internet Explorer 6.0)

MSKB:

KB829493 [Japanese version only]

Bugtraq ID:

7826

Patch:

Windows Server 2003 Service Pack 1

Overview:

Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories.
A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\%USERNAME%"

Details:

Windows Server 2003 allows remote attacker to traverse "Shell Folders" directories and access arbitrary files via "shell:[Shell Folders]\..\" in a malicious link.

[Shell Folders]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 AppData: "C:\Documents and Settings\%USERNAME%\Application Data"
 Cookies: "C:\Documents and Settings\%USERNAME%\Cookies"
 Desktop: "C:\Documents and Settings\%USERNAME%\Desktop"
 Favorites: "C:\Documents and Settings\%USERNAME%\Favorites"
 NetHood: "C:\Documents and Settings\%USERNAME%\NetHood"
 Personal: "C:\Documents and Settings\%USERNAME%\My Documents"
 PrintHood: "C:\Documents and Settings\%USERNAME%\PrintHood"
 Recent: "C:\Documents and Settings\%USERNAME%\Recent"
 SendTo: "C:\Documents and Settings\%USERNAME%\SendTo"
 Start Menu: "C:\Documents and Settings\%USERNAME%\Start Menu"
 Templates: "C:\Documents and Settings\%USERNAME%\Templates"
 Programs: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs"
 Startup: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup"
 Local Settings: "C:\Documents and Settings\%USERNAME%\Local Settings"
 Local AppData: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data"
 Cache: "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files"
 History: "C:\Documents and Settings\%USERNAME%\Local Settings\History"
 My Pictures: "C:\Documents and Settings\%USERNAME%\My Documents\My Pictures"
 Fonts: "C:\WINDOWS\Fonts"
 My Music: "C:\Documents and Settings\%USERNAME%\My Documents\My Music"
 My Video: "C:\Documents and Settings\%USERNAME%\My Documents\My Videos"
 CD Burning: "C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\CD Burning"
 Administrative Tools: "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Administrative Tools"

Exploit code:

**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the malicious link.
**************************************************

Malicious link: Exploit

 

Workaround:

None.

Vendor status:

Microsoft was notified on 9 June 2003.
They plan to fix this bug in a future service pack.
(This bug was corrected in Windows Server 2003 Service Pack 1.)

Microsoft Knowledge Base(KB829493) [Japanese version only]

Thanks:

Microsoft Security Response Center
Masaki Yamazaki (Japan GTSC Security Response Team)
Youji Okuten (Japan GTSC Security Response Team)

Similar vulnerability:

Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability

 Copyright(c) 2005 Eiji James Yoshida. All rights reserved