COMMAND
Internet Explorer
SYSTEMS AFFECTED
Windows '95, NT
PROBLEM
The following information is Cybersnot Industries and is their
credit for this vulnerability to see light of day. More info at:
http://www.cybersnot.com/iebug.html
This text is part of their "advisory".
Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug
which allows web page writers to use ".LNK" and ".URL" files to
run programs on a remote computer. This bug is particularly
damaging because it uses NO ActiveX, and works even when Internet
Explorer is set to its highest security level. It was tested on
Microsoft Internet Explorer Version 3.0 (4.70.1155) running
Windows 95. For demo check address above.
.URL files are WORSE than .LNK files because .URLs work in both
Windows 95 and Windows NT 4.0 (.LNK's only work in Windows 95).
.URL files present a possibly greater danger because they can be
easily created by server side scripts to meet the specific
settings of a user's system. Cybersnot industries will provide
.URL files for execution in the next day or so.
The "shortcuts" can be set to be minimized during execution which
means that users may not even be aware that a program has been
started. Microsoft's implementation of shortcuts becomes a
serious concern if a webpage can tell Internet Explorer to
refresh to an executable. Or worse, client side scripts (Java,
JavaScript, or VBScript) can use the Explorer object to transfer
a BATCH file to the target machine and then META REFRESH to that
BATCH file to execute the rogue command in that file.
The following table outlines which areas and users each shortcut
type effects:
+-------------------------------------------------------------+
| File | Win '95 | Win NT | Execute | Command Line | Searches |
| Type | | | Apps | Args Allowed | Path |
|-------------------------------------------------------------|
| .lnk | Yes | No | Yes | Yes | No |
|-------------------------------------------------------------|
| .url | Yes | Yes | Yes | No | Yes |
+-------------------------------------------------------------+
Naturally, the files must exist on the remote machine to be
properly executed. But, Windows 95 comes with a variety of
potentially damaging programs which can easily be executed.
On the page above you can see link that will start the standard
calculator which comes with Windows 95 (as .url and as .lnk).
This bug can be used to wreak havoc on a remote user's machine.
The following example (on page above) will show you how to create
and delete some directories. META REFRESH tag can be used to
execute multiple commands in sequence.
David M. Chess gave some basic technical about it. Win95 keeps
desktop shortcuts in files with extension LNK; when you click on
such a file, Win95 runs the program (and the environment) that
the LNK file decribes. URL files are the same sort of thing,
except the file has a slightly different syntax and semantics,
and they're passed to Internet Explorer (or whatever else your
installed URL.DLL uses) rather than being run by the Win95
desktop directly. Of course, since URL.DLL knows about URLs like
"file://format.com", they can be used to run local files, just as
LNKs do.
The trouble is, Interner Explorer treats LNK and URL files loaded
off the Net just as it does local ones; therefore by putting a
link to a LNK or URL onto a Web page, you can make any program on
the machine, or any URL you like (including "file:" ones) execute
when the user clicks. (Note that this is just Chess's current
impression of what's going on).
This bug was originally discovered by Paul Greene.
SOLUTION
Fix is available. See
http://www.microsoft.com/ie
or more in depth
http://www.microsoft.com/ie/security/update.htm