Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
From: Joxean Koret <joxeankoret () yahoo es>
Date: Fri, 23 Mar 2007 11:15:57 +0100 (CET)


Did you test it using UNC paths? It may be a way to
truly execute arbitrary code.

Joxean Koret

Send a HTML email message containing the URL:
<a href="c:/windows/system32/winrm?">Click here!</a>
<a href="c:/windows/system32/migwiz?">Click here!</a>
and winrm.cmd/migwiz.exe gets executed without asking

for permission.
These are just examples.

I could not pass arguments to winrm (hehe this would 
be beautiful), but I guess there
are several attack vectors.

LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]