mailing list archives
Re: MSN Messenger is vulnerable to the shell: hole
From: "http-equiv () excite com" <1 () malware com>
Date: Sun, 11 Jul 2004 16:17:29 -0000
Ctrl+clicking a shell:windows\\notepad.exe link in Microsoft
Word 10.2627.3311 launches Notepad.
this can be very interesting. The same in Outlook 2003 both html
and rich text. Good thing the named temp file deposits were
As Andreas Sandblad mentioned the other day the assigned
application will open depending on the file extension.
In Outlook 2003
shell:foo.hta will open an empty Html Application window
shell: foo.chm will run hh.exe with an error
shell: foo.js will run Windows Scripting Host with an error
showing the full path where it is looking to run foo.js
shell: foo.eml completely screws up Outlook Express with a
series of errors
the idea then would be to run directly through the non-existent
file it is trying to open e.g:
either that, or get something into shell:foo.hta or try to
resurrect the named file in the temp. Lot of possibilities
including embeddeding the file directly into the mail message
and linking to it.
All needs to be thoroughly examined though. Which would be
unfortunate for the peculiar completely clueless few who think
that you just "flick" a switch and the fireworks begin.
Full-Disclosure - We believe in it.