/------------------\ / eEye Security Team \ \--------------------/ \ www.eEye.com / ------------------ IE4 Custom Folders ---> Systems Affected Win9X/NT IE4.0 Customized Folders ---> Release Date October, 1 1998 ---> Advisory Code IE4CustomFolders01 ---> Problem Users with write access to a customized folder can replace the customized folder settings inserting their own "evil" files to execute code. This could be used to simply make a folder not viewable from inside a GUI view or on a potentially more dangerous note, execute code via activex controls. In the past having write access to a folder was a bad thing but still the most that could be done was replace an exe with a trojaned exe in hopes that the user runs the program. Now you can execute code when the user simply views a folder. Its common when you are doing security audits of NT networks to find remote systems with shared folders. Most of the time the shared folder's password is trivial to break or there is no password at all. We tested this hole on a Windows95 system with IE4.0 and a customized folder and IE security settings on high. It will most defiantly work on Windows98 because well IE4.0 is Windows98 heheh. As of releasing this advisory we have not tested NT systems but its a good bet it will work. Basically what happens when you customize a folder is two files are created, desktop.ini and a folder.htt. Folder.htt is the file that holds the HTML code to be displayed in the folders window when opened. We insert HTML code for an evil activex control inside folder.htt. When the user opens the folder the HTML code is read and the ocx is loaded. The ocx could share drive c to everyone or whatever. Check out the attached nerd.zip for an example that runs an exe which displays a funny little message. On a side note: To reproduce this for testing purposes create a folder then go to view, customize this folder. Then once your done unzip nerd.zip into the folder, close the window and reopen it. Should not be too hard to figure out. Also, the zip file has extra files that are not really essential to getting the code executed... yes, lazy is the word hehe. -------------------- Marc marc@eEye.com eEye Security Team http://www.eEye.com -------------------- P.S. Viking/1.04 httpd, can be DoS'd by sending HEAD /(nice big string here)/ HTTP/1.0. Viking isn't a major httpd but there might be the one or two out there using it. [Part 2, Application/X-ZIP-COMPRESSED 22KB] [Unable to print this part]