Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
From: Joxean Koret <joxeankoret () yahoo es>
Date: Fri, 23 Mar 2007 11:15:57 +0100 (CET)

Hi,

Did you test it using UNC paths? It may be a way to
truly execute arbitrary code.

Regards,
Joxean Koret

Exploit:
Send a HTML email message containing the URL:
<a href="c:/windows/system32/winrm?">Click here!</a>
or
<a href="c:/windows/system32/migwiz?">Click here!</a>
and winrm.cmd/migwiz.exe gets executed without asking

for permission.
These are just examples.

I could not pass arguments to winrm (hehe this would 
be beautiful), but I guess there
are several attack vectors.


                
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault