Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability

From: Joxean Koret <joxeankoret () yahoo es>
Date: Fri, 23 Mar 2007 11:15:57 +0100 (CET)
Hi,

Did you test it using UNC paths? It may be a way to
truly execute arbitrary code.

Regards,
Joxean Koret


Exploit:
Send a HTML email message containing the URL:
<a href="c:/windows/system32/winrm?">Click here!</a>
or
<a href="c:/windows/system32/migwiz?">Click here!</a>
and winrm.cmd/migwiz.exe gets executed without asking



for permission.
These are just examples.

I could not pass arguments to winrm (hehe this would 
be beautiful), but I guess there
are several attack vectors.



                
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: