Home page logo

bugtraq logo Bugtraq mailing list archives

Re: IE4 Custom Folder
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Fri, 2 Oct 1998 08:59:33 -0400

At 02:25 PM 10/1/98 -0600, listuser () MAIL SEIFRIED ORG wrote:
---> Problem
Users with write access to a customized folder can replace the customized
folder settings inserting their own "evil" files to execute code.

I'd amend this to point out that users with write access to ANY directory
can possibly trojan ANY user with Active Desktop enabled.

I'm not 100% sure what you can change these settings to, to lock the
machine down, nor do I have any Windows95/98 machines to play on. The best
advice would be to disable active desktop which is dog slow anyways.
Impliment system policies, and distribute a custom version of MSIE 4.01
(via the IEAK) with this stuff turned off by default. In other words round
up the usuall suspects.

Under NT, you've got a few more options - you can use the file system
permissions to fix this - just create a desktop.ini file with nothing in
it, and give only admins the right to change it - administrators:F,
everyone:R ought to do it.  Also be sure that everyone doesn't have full
control on the parent directory.

This is somewhat annoying, as you are allowed to customize remote folders,
but there is no provision that I can see to keep users from conflicting
with one another.

In fact, the only safe work-around I see for this one is to pre-create the
desktop.ini files for _all_ public shared directories, and set the ACL on
it.  Obviously, using the command line to deal with directories will keep
you safe from this.  IMHO, asking everyone to disable active desktop won't
be effective.

Tightening the security settings for the local zone would also be useful.

With respect to disabling this attack on Win95, your only options are (in
personal order of preference):

1) Install NT, precreate desktop.ini files and lock them down
2) Don't share anything
3) Disable active desktop

I'd urge people not to dismiss this attack, as it would be fairly easy to
use it to install all sorts of interesting trojans.

I think the fix I'd like to see out of MS for this would be to not display
any customization for any remote file system.  This also gets a little
interesting with NT 5.0 having the capability to mount a remote file system
and map it to a directory which appears to be local.  Another possible fix
would be to give me the option of disabling customized directory display
without disabling the desktop (which is basically how I prefer to use it).

David LeBlanc
dleblanc () mindspring com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]