SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows Explorer Vendors:   Microsoft
Microsoft Windows Explorer 'webvw.dll' Input Validation Error Lets Remote Users Execute Arbitrary Scripting Code
SecurityTracker Alert ID:  1013761
SecurityTracker URL:  http://securitytracker.com/id/1013761
CVE Reference:   CVE-2005-1191   (Links to External Site)
Updated:  May 11 2005
Original Entry Date:  Apr 19 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2000
Description:   A vulnerability was reported in Microsoft Windows Explorer in 'webvw.dll'. A remote user can cause arbitrary scripting code to be executed when a file is selected in Windows Explorer.

The Web View preview pane does not properly filter a document author's name when displaying the name. In addition, names that resemble an e-mail address are converted into a 'mailto:' HTML link.

A remote user can create a document with a specially crafted author name that contains arbitrary scripting code. When the target user selects the file via Windows Explorer when in the Web View mode, the scripting code will be executed on the target user's system. The file itself does not need to be executed.

The scripting code will run in the Local Computer zone.

Windows classic folders are not affected.

A demonstration exploit author field value is provided:

a@b' style='background-image:url(javascript:alert("Successful injection!"))'

Some demonstration exploit examples are available at:

http://security.greymagic.com/security/advisories/gm015-ie/

The original advisory is available at:

http://www.greymagic.com/security/advisories/gm015-ie/

GreyMagic Security reported this vulnerability.

Impact:   A remote user can create a file that, when selected (but not necessarily executed) in Windows Explorer in Web View mode, will execute arbitrary scripting code in the Local Computer zone.
Solution:   No solution was available at the time of this entry.

As a workaround, the report indicates that you can disable the Web View by going to: Tools -> Folder Options -> Select 'Use Windows classic folders'.

Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Input validation error

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 10 2005 (Vendor Issues Fix) Microsoft Windows Explorer 'webvw.dll' Input Validation Error Lets Remote Users Execute Arbitrary Scripting Code
Microsoft has issued a fix.
May 18 2005 (Centrex IP Client Manager is Affected) Microsoft Windows Explorer 'webvw.dll' Input Validation Error Lets Remote Users Execute Arbitrary Scripting Code
Nortel Centrex IP Client Manager is affected. Nortel plans to issue a fix shortly.



 Source Message Contents

Subject:  [VulnWatch] File Selection May Lead to Command Execution (GM#015-IE)


GreyMagic Security Advisory GM#015-IE
=====================================

By GreyMagic Software.
19 Apr 2005.

Available in HTML format at
http://www.greymagic.com/security/advisories/gm015-ie/.

Topic: File Selection May Lead to Command Execution.

Discovery date: 18 Jan 2005.

Affected applications:
======================

* Windows Explorer on Windows 2000 Professional. 
* Windows Explorer on Windows 2000 Server. 
* Windows Explorer on Windows 2000 Advanced Server. 

Note that any other application that uses the Web View DLL under Windows
2000 is affected as well. 


Introduction:
=============

Windows Explorer is used to navigate through the Windows file system by
default. 

Windows Explorer includes a preview pane (Web view), which displays
information on some types of files when they become selected. The preview
pane is enabled by default on all Windows 2000 systems. 

The preview pane is implemented via an HTML resource file (in webvw.dll),
which examines the currently selected file, reads its metadata and displays
useful information about it. Such information includes the file's size,
attributes, modification date, author and more. 


Discussion: 
===========

When the preview pane outputs the document's author name, it checks whether
the name resembles an email address, and if so, transforms it into a
'mailto:' link in the pane. 

The transformation into a link does not filter potentially dangerous
characters and makes it possible to inject attributes into the link, which
enables execution of arbitrary script commands. 

Script commands that are injected in this manner will execute as soon as the
malicious file is selected in Windows Explorer and will be executed in a
trusted context, which means they will have the ability to perform any
action the currently logged on user can perform. This includes reading,
deleting and writing files, as well as executing arbitrary commands. 

Notice that the malicious file does not need to be executed in order to
activate the exploit, double-clicking is not required. The exploitation
takes place as soon as the file is selected. 

The code below is an excerpt from one of the vulnerable resources. In this
instance 'safeData' has not been filtered properly, and may contain the
apostrophe (') character, allowing for attribute termination in the
resulting HTML: 

text += "<p>" + title + ": <a href='mailto:" + safeData + "'>" + safeData +
"</a>"; 


Exploit: 
========

When setting the author field of a file (for example, a Word document) to
the following value: 

a@b' style='background-image:url(javascript:alert("Successful injection!"))'

Windows Explorer will display a message box as soon as the file is selected.

This vulnerability can also be exploited by directing the user to an
attacker controlled SMB share, the user will then need to select the file in
order to activate the exploit. 


Demonstration:
==============

GreyMagic has put together three proof-of-concept demonstrations:

* Simple: As shown in the exploit section, displays a simple message box
when selected.
* Copy me: Automatically copies itself to the same folder when selected. 
* Bo Selecta: Constantly renames itself when selected. 

They may be accessed at
http://security.greymagic.com/security/advisories/gm015-ie/


Solution: 
=========

Until a patch becomes available, disable the Web View by going to: Tools ->
Folder Options -> Select 'Use Windows classic folders'. 


Tested on: 
==========

Windows Explorer / Windows 2000 Professional. 
Windows Explorer / Windows 2000 Server. 
Windows Explorer / Windows 2000 Advanced Server. 


Disclaimer:
===========

The information in this security advisory and any of its demonstrations is
provided "as is" without warranty of any kind. 

Vulnerability details are provided strictly for educational and defensive
purposes.

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright ) 2005 GreyMagic Software.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC