Bugtraq mailing list archives
Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Tue, 19 Sep 2000 05:49:54 -0700
Hello there. Sorry to trouble you. We sent the following to bugtraq () securityfocus com 4 times yesterday afternoon (18th), however we did not receive your auto-notification of receipt for any of them. is it working? below illustrates that this exploit works in internet explorer 5.5 in ftp mode. Clicking on an ftp link in internet explorer (or redirecting via scripting or even meta tag refresh) converts IE5 into ftp mode, which if the *.dll is in the same directory as a word document on the ftp server, the *.dll executes. You don't have to download the *.dll and you don't have to use Windows Explorer. IE5.5. and probabaly all IE5's in ftp mode do this just fine. Also probably the majority of people have disengaged the 'confirm after download' for word documents, which means there is no warning to this at all. http://www.malware.com ----- Original Message ----- | Message-ID: <6677045.969323736278.JavaMail.imail () goochy excite com> | Date: Mon, 18 Sep 2000 17:35:36 -0700 (PDT) | From: "http-equiv () excite com" <http-equiv () excite com> | To: bugtraq () securityfocus com | Subject: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases | | [resend because we are not getting the usual auto-confirmation of receipt] | | We're having good success executing this with Internet Explorer 5.5 in ftp | mode: | | ftp://123 () abcedf com/public/test/ohmy.doc | | (obviously not a working example), | | but linking that either to href or script takes you to the directory with | both the *.dll and *.doc -- the *.doc opens up and this is what we find: | | 1. The "hello world" message is executed | 2. The "starting or trying test.exe" message is executed | 3. DOS box comes up | 4. THEN the *.doc is downloaded and opened in Word | 5. THEN there are a series of memory errors and other errors related to | windows (?) | | A whole series of events and errors after the *.dll is executed. IE5.5 | patched to date. Win95 system. | | It can be negated by 'confirm open after download' for *.doc under view|file | types|word|-- this will bring up a download warning. Of course if you want | to attack your friend, send him a link to that plagerised essay he's been | nagging for, and install back orfice in his machine at the same time. He'll | be expecting the *.doc to download... | | | http://www.malware.com | | | | | | | | | | | _______________________________________________________ | Say Bye to Slow Internet! | http://www.home.com/xinbox/signup.html _______________________________________________________ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html
Current thread:
- Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases http-equiv () excite com (Sep 20)
- <Possible follow-ups>
- Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases Chip Andrews (Sep 21)