Home page logo
/

bugtraq logo Bugtraq mailing list archives

Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Tue, 19 Sep 2000 05:49:54 -0700

Hello there. Sorry to trouble you. We sent the following to
bugtraq () securityfocus com 4 times yesterday afternoon (18th), however we did
not receive your auto-notification of receipt for any of them.

is it working?

below illustrates that this exploit works in internet explorer 5.5 in ftp
mode. Clicking on an ftp link in internet explorer (or redirecting via
scripting or even meta tag refresh) converts IE5 into ftp mode, which if the
*.dll is in the same directory as a word document on the ftp server, the
*.dll executes. You don't have to download the *.dll and you don't have to
use Windows Explorer. IE5.5. and probabaly all IE5's in ftp mode do this
just fine. Also probably the majority of people have disengaged the 'confirm
after download' for word documents, which means there is no warning to this
at all.

http://www.malware.com

----- Original Message -----
|  Message-ID: <6677045.969323736278.JavaMail.imail () goochy excite com>
|  Date: Mon, 18 Sep 2000 17:35:36 -0700 (PDT)
|  From: "http-equiv () excite com" <http-equiv () excite com>
|  To: bugtraq () securityfocus com
|  Subject: Re: Double clicking on MS Office documents from Windows Explorer
mayexecute arbitrary programs in some cases
|
|  [resend because we are not getting the usual auto-confirmation of
receipt]
|
|  We're having good success executing this with Internet Explorer 5.5 in
ftp
|  mode:
|
|  ftp://123 () abcedf com/public/test/ohmy.doc
|
|  (obviously not a working example),
|
|  but linking that either to href or script takes you to the directory with
|  both the *.dll and *.doc -- the *.doc opens up and this is what we find:
|
|  1. The "hello world" message is executed
|  2. The "starting or trying test.exe" message is executed
|  3. DOS box comes up
|  4. THEN the *.doc is downloaded and opened in Word
|  5. THEN there are a series of memory errors and other errors related to
|  windows (?)
|
|  A whole series of events and errors after the *.dll is executed. IE5.5
|  patched to date. Win95 system.
|
|  It can be negated by 'confirm open after download' for *.doc under
view|file
|  types|word|-- this will bring up a download warning. Of course if you
want
|  to attack your friend, send him a link to that plagerised essay he's been
|  nagging for, and install back orfice in his machine at the same time.
He'll
|  be expecting the *.doc to download...
|
|
|  http://www.malware.com
|
|
|
|
|
|
|
|
|
|
|  _______________________________________________________
|  Say Bye to Slow Internet!
|  http://www.home.com/xinbox/signup.html





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]