More fun with html mail: Outlook Express, Internet Explorer, Other etc

["http-equiv () excite com" <http-equiv () malware com>]

Sunday, April 14, 2002

1. Not Possible

Technically it cannot be possible to create an html mail message from 
a mailto url scheme without user input. However shoe-horning html in 
through insertion of script tags does make it possible. Default 
installation of Outlook Express and probably Outlook, is 'mail 
sending format: html':

<a href="mailto: freak () bloatedcorp com
?cc=contest () bloatedcorp com
&subject=Million Dollar Contest
&body=<script></script>
<iframe src=http://www.malware.com&apos;>">
 contest () bloatedcorp com </a>

This is not a good idea.

Working Example:

http://www.malware.com/$illine$$.html

Note: this is an 8th month 
old 'thing':http://www.securityfocus.com/bid/3334

2. EVEN WORSE:

Trivial file theft using Outlook Express, maybe Outlook. Instead of 
delivering files to the target computer, we rather take files from 
the target computer. With a bit of Idiot Engineering, we reverse the 
process as detailed here: http://www.securityfocus.com/bid/1221 and 
here: http://www.kb.cert.org/vuls/id/31994. 

Note: now almost 24 months old.

 
Working Example:

This will pluck and send your Autoexec.bat from a default Windows 
installation. Targeted computers with specific files can prove more 
lucrative.

http://www.malware.com/idiot$.html

Notes:

1. Outlook Express 6 default mail is in the 'restricted zone'. 
Outlook Express 5.5 isn't. Disable Active X and all those other 
things.

2. Do not send 'unknown' webmasters entire web pages despite how 
tempting the request is. 

3. Scraping the bottom of the barrel.

End Call.

-- 
http://www.malware.com