Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: What about M$ in the shell: race
From: "Perrymon, Josh L." <PerrymonJ () bek com>
Date: Fri, 9 Jul 2004 11:56:49 -0500


I'm not tryiny to take any credit for it. Keith McCanless and I where
working on it at the same time ane he submitted to Mozilla 2 hours before I
did yesterday morning. We have shared a lot of ideas and research on the

No I didn't just grab someones research. Keith and I took the same approach.
This acutally started last week when Jessica sent the IE active-X stuff to
me and I look at an older Buqtraq post and saw the shell: code that was used
with double backslashes in IE. 
I run mozilla now so I started looking at the code and playing with
different variants in the lab.

I noticed that it worked in Mozilla on the 7th but I din't think about
sending it to Mozilla becuase at first I didn't think it was a big deal. But
it started a lot of intrest in FD so I submitted it just after Keith.

If you follow my first posts in FD you will see that my first intrest was
purely in the background of the shell: command and how it works and the
behaviors involved.

But I guess to answer the question: 
No- I didn't just see an advisory from someone and start making posts like I
found it. I worked with the other researchers on this.

I don't care if someone mentions my name in an advisory. Maybe I would if I
was trying to get a job or something but like you I work for the corporate
world and was just doing some research.

Read his advisory:

MOZILLA will open/execute a file when navigated to a valid SHELL-protocol
greetingz fly to perrymonj


-----Original Message-----
From: daniel uriah clemens
To: Perrymon, Josh L.
Cc: packet-ninjas () birmingham-infragard org;
full-disclosure () lists netsys com;
birmingham-infragard () birmingham-infragard org
Sent: 7/9/2004 6:33 AM
Subject: Re: [Full-disclosure] What about M$ in the shell: race


This is no way a shaming email,but hopefully a playful question in hopes
to find out what might be miscommunicated as a reader on multiple
mailing lists.

snip from your website>

I think the research over the past couple days proves that M$ just isn't
cutting it these days with their security response to vulnerabilities.
Wasn't it just the other day whn Bill Gates said that they have 1000's
consultants ready to patch systems and it STILL takes them weeks to
a simple hole. I understand that M$ has to deal with the underlying OS
with that many people shouldn't they turn patches out a little faster?
I mean, come on.. I worked with the Mozilla guys and was REALLY
with the turn-around on the patch. It's wasn't real elaborate to correct
the issue but it was done in a matter of hours.

The shell: issue is all over Full-disclosure and slashdot but I have yet
to see a public response from M$ on the issue.

I hope this helps Mozilla gain some market share because it's where
browsing and security models should move in the future in my opinion-

----------end Rant---------------

M$ IE6 shell: vuln tested on fully patched XP SP1 box in VWmare lab


shell:windows\system32\narrator.exe <- This is my favorite one :) This
will freak someone out when the PC talks to them.

I guess the good side to this is that IS asks the user to open the file
save is clicked from an anchor but not when using the shell command.
test <- this calls cmd.exe using an anchor tag

I understand the disclosure process but what can you do if they don't
respond. This isn't a canned script kiddie exploit it's research. And
should be available to anyone that is interested.


I got 99 problems but Mozilla isn't one :)


What reasearch did you perform to find this hole or did you simply
what 'liu die yu' posted to full disclosure earlier this week.


Just for clarification's sake did you find this vulnerability through
extensive research or did you repost someone elses vulnerability to
mailing list in the world and then posted that the media picked up on it

If it was research , what methodical approach did you take to
find this vulnerability so we can all share in the fun of bugtracking or
was this research in the stance that you are evaluating the existence of
current bug already disclosed within your lab.

What it sounds like what you have been saying the past few day is simply
' this bug exists, I confirmed it exists, and I have repeated the work
another and this bug is fairly huge', but I can see how others could
misinterpret this to say that you where the original bug-tracker.

I understand the disclosure process but what can you do if they don't
respond. This isn't a canned script kiddie exploit it's research. And
should be available to anyone that is interested.

I am must trying to clarify whether or not you said this was research on
your part to discover the bug, OR to simply test for the bug's existence
from what was posted from Liu Die Yu earlier this week.


IE will execute the shell: command locally but prompts the user to
open /
save the file if used with an anchor.
But what is this was used with another IE exploit that may not have
privs but ran shell: locally-

wouldn't that have system privs then or would that run under the

Interesting so far-

Hopefully this will help the effort to promote open source standards
to move
away from M$ web monopoly.
Until then I will just uses BBS's-- hehehehehehe

Anyone up for a good game of Tradewars ;)

Once again I am merely trying to clarify allot of what you have been
posting the last few days.

-Daniel Uriah Clemens
Esse quam videra
                (to be, rather than to appear)
                     -Moments of Sorrow are Moments of Sobriety
                      { o)2059686335             c)2055676850 }

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]