RE: MicroSopht IE (on XPee only) launches messenger by callto:gates or outlook by outlook:calendar protocols

["KM" <common () mccanless us>]

I pointed out the use of the Outlook: protocol in
http://seclists.org/lists/fulldisclosure/2004/Jul/0460.html.  I have yet to
find a way that it can be exploited.

 

As for the Callto: protocol, that is one of many registered URL types.  If
you look in Folder Options > File Types you will see a list of the
registered URL types.  Such as tn3270, telnet, LDAP, rlogin etc.  Again, no
obvious way to exploit these.  One trick I found interesting but not
exploitable to my knowledge other than confusing the hell out of a web user
is to put a tn3270 or rlogin link in an href like "<a href=tn3270:servername
33033>a link</a>.  Then run Netcat with the following command on the server
"nc -l -p 33033 < hamlet.txt".  It will cause a telnet window to open on the
user's system and the entire text of hamlet (or whatever you choose even
binaries) to scroll across the screen.  

 

Other than using these tricks to fool users into doing some thing stupid I
don't know of any way to exploit any of these.

  _____  

From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Good One
Sent: Saturday, July 10, 2004 5:25 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] MicroSopht IE (on XPee only) launches messenger
by callto:gates or outlook by outlook:calendar protocols

 

Micro$opht IE (on XPee only) launches messenger by callto:gates or outlook
by outlook:calendar protocols

 

For outlook there exists a wide range of other shorcuts as well. Just verify
left pane of outlook shortcuts ...

 

try to open iframe with any of those protocols and you will get outlook open
(or at least wizard to configure it will be called).

 

-SomeMan

  _____  

 <http://uk.rd.yahoo.com/evt=21626/*http:/uk.messenger.yahoo.com> ALL-NEW
Yahoo! Messenger - sooooo many all-new ways to express yourself