mailing list archives
Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Tue, 19 Sep 2000 05:49:54 -0700
Hello there. Sorry to trouble you. We sent the following to
bugtraq () securityfocus com 4 times yesterday afternoon (18th), however we did
not receive your auto-notification of receipt for any of them.
is it working?
below illustrates that this exploit works in internet explorer 5.5 in ftp
mode. Clicking on an ftp link in internet explorer (or redirecting via
scripting or even meta tag refresh) converts IE5 into ftp mode, which if the
*.dll is in the same directory as a word document on the ftp server, the
*.dll executes. You don't have to download the *.dll and you don't have to
use Windows Explorer. IE5.5. and probabaly all IE5's in ftp mode do this
just fine. Also probably the majority of people have disengaged the 'confirm
after download' for word documents, which means there is no warning to this
----- Original Message -----
| Message-ID: <6677045.969323736278.JavaMail.imail () goochy excite com>
| Date: Mon, 18 Sep 2000 17:35:36 -0700 (PDT)
| From: "http-equiv () excite com" <http-equiv () excite com>
| To: bugtraq () securityfocus com
| Subject: Re: Double clicking on MS Office documents from Windows Explorer
mayexecute arbitrary programs in some cases
| [resend because we are not getting the usual auto-confirmation of
| We're having good success executing this with Internet Explorer 5.5 in
| ftp://123 () abcedf com/public/test/ohmy.doc
| (obviously not a working example),
| but linking that either to href or script takes you to the directory with
| both the *.dll and *.doc -- the *.doc opens up and this is what we find:
| 1. The "hello world" message is executed
| 2. The "starting or trying test.exe" message is executed
| 3. DOS box comes up
| 4. THEN the *.doc is downloaded and opened in Word
| 5. THEN there are a series of memory errors and other errors related to
| windows (?)
| A whole series of events and errors after the *.dll is executed. IE5.5
| patched to date. Win95 system.
| It can be negated by 'confirm open after download' for *.doc under
| types|word|-- this will bring up a download warning. Of course if you
| to attack your friend, send him a link to that plagerised essay he's been
| nagging for, and install back orfice in his machine at the same time.
| be expecting the *.doc to download...
| Say Bye to Slow Internet!
Say Bye to Slow Internet!
- Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases http-equiv () excite com (Sep 20)