Microsoft Windows 98/2000 Folder.htt Vulnerability

In Windows 98 and 2000, a file called Folder.htt determines the way in which folders are displayed are web pages. This file can contain active scripting. If a user opens any folder while the option to view them as web pages is enabled (the default), any code in the Folder.htt file will be executed at the privilege level of the user. This is exploitable via local folders as well as remote UNC shares.

The problem is in the ShellDefView ActiveX control. This control is used to determine what action is taken on a selected file. To invoke the default action on a selected file, the InvokeVerb method is used with no parameters. The first file in the folder can be automatically selected by use of the FileList.focus method. Therefore, if a file is created that has a default open action of 'execute' (ie *.exe, *.bat etc) that will be first in the list (the default sort method is alphabetical, so for example 11111111.bat), it can be selected and run merely by opening the folder it resides in.


Privacy Statement
Copyright 2010, SecurityFocus