Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
From: "Kingcope" <kingcope () gmx net>
Date: Fri, 23 Mar 2007 11:32:07 +0100

Hello,

I just tested it with UNC paths,
and yes this works too, but you have to
press on the yes button when it asks because
the file is not authorized (it comes from remote).
After pressing Yes one time it gets executed.
Normally Windows Mail does not execute
exe or other executable files, now it does :-)


Thank you for this nice idea Joxean Koret.



Regards,

kcope

----- Original Message ----- 
From: "Joxean Koret" <joxeankoret () yahoo es>
To: <full-disclosure () lists grok org uk>; <kingcope () gmx net>
Sent: Friday, March 23, 2007 11:15 AM
Subject: RE: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client 
Side Code Execution Vulnerability


Hi,

Did you test it using UNC paths? It may be a way to
truly execute arbitrary code.

Regards,
Joxean Koret

Exploit:
Send a HTML email message containing the URL:
<a href="c:/windows/system32/winrm?">Click here!</a>
or
<a href="c:/windows/system32/migwiz?">Click here!</a>
and winrm.cmd/migwiz.exe gets executed without asking

for permission.
These are just examples.

I could not pass arguments to winrm (hehe this would
be beautiful), but I guess there
are several attack vectors.



______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]