Microsoft Windows 98/2000 Folder.htt Vulnerability
BID:1571
Info
Microsoft Windows 98/2000 Folder.htt Vulnerability
| Bugtraq ID: | 1571 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 15 2000 12:00AM |
| Updated: | Aug 15 2000 12:00AM |
| Credit: | Posted to bugtraq on July 14 2000 by Georgi Guninski <[email protected]>. |
| Vulnerable: |
Microsoft Windows 98SE Microsoft Windows 98 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: | |
Discussion
Microsoft Windows 98/2000 Folder.htt Vulnerability
In Windows 98 and 2000, a file called Folder.htt determines the way in which folders are displayed are web pages. This file can contain active scripting. If a user opens any folder while the option to view them as web pages is enabled (the default), any code in the Folder.htt file will be executed at the privilege level of the user. This is exploitable via local folders as well as remote UNC shares.
The problem is in the ShellDefView ActiveX control. This control is used to determine what action is taken on a selected file. To invoke the default action on a selected file, the InvokeVerb method is used with no parameters. The first file in the folder can be automatically selected by use of the FileList.focus method. Therefore, if a file is created that has a default open action of 'execute' (ie *.exe, *.bat etc) that will be first in the list (the default sort method is alphabetical, so for example 11111111.bat), it can be selected and run merely by opening the folder it resides in.
In Windows 98 and 2000, a file called Folder.htt determines the way in which folders are displayed are web pages. This file can contain active scripting. If a user opens any folder while the option to view them as web pages is enabled (the default), any code in the Folder.htt file will be executed at the privilege level of the user. This is exploitable via local folders as well as remote UNC shares.
The problem is in the ShellDefView ActiveX control. This control is used to determine what action is taken on a selected file. To invoke the default action on a selected file, the InvokeVerb method is used with no parameters. The first file in the folder can be automatically selected by use of the FileList.focus method. Therefore, if a file is created that has a default open action of 'execute' (ie *.exe, *.bat etc) that will be first in the list (the default sort method is alphabetical, so for example 11111111.bat), it can be selected and run merely by opening the folder it resides in.
Exploit / POC
Microsoft Windows 98/2000 Folder.htt Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
Microsoft Windows 98/2000 Folder.htt Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Microsoft Windows 98/2000 Folder.htt Vulnerability
References:
References: