New Exploit - should LnS cry out??

Discussion in 'LnS English Forum' started by tosbsas, Jan 27, 2004.

Thread Status:
Not open for further replies.
  1. tosbsas

    tosbsas Registered Member

    Feb 9, 2002
    Lima, Peru
    Windows XP Explorer Executes Arbitrary Code in Folders
    SecurityTracker Alert ID: 1008843    
    CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)    
    Date: Jan 25 2004
    Impact: Execution of arbitrary code via network, User access via network
    Exploit Included: Yes
    Version(s): Windows XP Explorer
    Description: A vulnerability was reported in Microsoft Windows XP in Windows Explorer. A remote user can create a folder that, when viewed by the target user, will execute arbitrary code on the target user's system.

    http-equiv reported that a remote user can create a specially crafted 'folder' that includes HTML scripting code and a Windows executable ('.exe' file) containing arbitary code. When a target user attempts to view the contents of the 'folder' (which may be considered an ostensibly safe task by many users), the arbitrary code will be automatically executed on the target user's computer by Windows Explorer. The code will run with the privileges of the target user.

    If the 'folder' is an HTML-based file, Windows Explorer (on XP) will execute the file when viewed, extracted, or opened. The scripting code can reference the executable contained in the 'folder', causing the executable to run.

    A demonstration exploit is available at:
    Impact: A remote user can cause arbitrary code to be executed on the target user's system.
    Solution: No solution was available at the time of this entry.
    Vendor URL: (Links to External Site)
    Cause: State error
    Underlying OS: Windows (XP)
    Reported By: "" <>
    Message History: None.
  2. gkweb

    gkweb Expert Firewall Tester

    Aug 29, 2003
    FRANCE, Rouen (76)
    If it is the browser which is mainly exploited so LnS will say nothing as all firewalls.
    If the exploit relies more on explorer.exe then i think LnS will warn you that
    explorer tries to access the internet.

    It has always be advised if possible to block explorer.exe to access the network.
  3. FluxGFX

    FluxGFX Registered Member

    Jan 23, 2003
    Interesting but this malware has no effect what so ever has it can't find Internet Explorer wich is funny... :) Internet Explorer does not exist on this system :) mouahaha
  4. Kevin_b_er

    Kevin_b_er Registered Member

    Dec 1, 2002
    Microsoft is so stupid, it makes me wonder sometimes...

    Here's the deal:

    Any file with the extension .folder is reguarded as a directory/folder (the real kind)

    1. Thus, My Pics.folder is like a folder.

    2. By default, Windows hides file extensions, so it 'looks' like a directory

    3. MS also allows to open up HTML directly into explorer by overintegration with IE. MS also allows, though a well documented exploit, a way to execute local exes with html.

    4. The html contained in this executes an exe contained within it base64 encoded.

    In essence, 4 stupid things leads to exploit possibilites.

    Now, the fix:


    This is the registry key that allows .Folder files to be treated as folders. Its completely unrelated to how explorer seems to treat regular directories. I see no point to it.....

    Also, multiple extensions can be associated with the same actions, and .Folder points to the same action as a real folder/directory.

    You can remove the (Default) key which is "Folder" from HKCR\.Folder

    the exploit is somewhat nullified at this point, attempts to open the .folder extension file will result in an error message saying that windows doesn't know how to open the file.
Similar Threads
  1. choppingjerks
Thread Status:
Not open for further replies.