Re: Outlook HTML VBS (demo)

[mkennedy () SYMANTEC COM (Mark Kennedy)]

-----BEGIN PGP SIGNED MESSAGE-----
Dave,

VBS does not have disk functions.  It accesses the 
FileSystemObject to do this.  JScript can access the same 
object.

To embed in HTML it is the same as JScript only you specify 
a different language:

<script language="VBScript">

Mark Kennedy
Architect,
Symantec

Hash: SHA1

So I take it one can embed VBS in html <script> tags in the 
same way
that one may do so with javascript? Does javascript have 
the similar
functions for disk I/O that VBS has?

Dave Hull, Senior Information Technology Analyst
LAN Support Services, University of Kansas
gpg key-> <A TARGET=nonlocal 
HREF="/external/http://insipid.cc.ukans.edu/dphull/pubkey.ht
ml"><A HREF="http://insipid.cc.ukans.edu/dphull/pubkey.html</A">http://insipid.cc.ukans.edu/dphull/pubkey.html</A</A>>

- -----Original Message-----
From: Playle, Greg [mailto:<A 
HREF="mailto:GPlayle () stai com">GPlayle () stai com</A>]
Sent: Monday, May 22, 2000 10:54 AM
To: 'Hull, Dave'
Subject: RE: Outlook HTML VBS (demo)

RTFN.  (Read The Fantastic News).  VBS is the scripting 
language
behind:
Melissa, LoveBug, Cholera, variants of LoveBug, etc.  Do a 
search on
evil
html.

- -----Original Message-----
From: Hull, Dave [mailto:<A 
HREF="mailto:dphull () MAIL UKANS EDU">dphull () MAIL UKANS EDU</A
> ]
Sent: Monday, May 22, 2000 9:21 AM
To: <A HREF="mailto:VULN-DEV () SECURITYFOCUS COM">VULN-
DEV () SECURITYFOCUS COM</A>
Subject: Re: Outlook HTML VBS (demo)

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pardon my ignorance, but is it really possible to include 
dangerous
exploits in messages using VBS, Javascript and the like? 
Popup
messages are one thing, but I/O to disk is quite another. 
Is this
really a VBS call? It looks suspiciously like the alert() 
function
found in Javascript.

I was working several months ago on a project and thought I 
might be
able to use Javascript via a web page to pull stats from a 
user's
computer like size of HDD, amount of available disk space, 
etc. and
my admittedly shallow research led me to believe that it 
was not
possible to use Javascript for such tasks. Granted, I don't 
know the
language so could someone set me straight. Thanks.
Dave Hull, Senior Information Technology Analyst
LAN Support Services, University of Kansas
gpg key-> <A TARGET=nonlocal 
HREF="/external/http://insipid.cc.ukans.edu/dphull/pubkey.ht
ml"><A HREF="http://insipid.cc.ukans.edu/dphull/pubkey.html</A">http://insipid.cc.ukans.edu/dphull/pubkey.html</A</A>>
<<A TARGET=nonlocal 
HREF="/external/http://insipid.cc.ukans.edu/dphull/pubkey.ht
ml>">http://insipid.cc.ukans.edu/dphull/pubkey.html></A>
- - -----Original Message-----
From: Masial [ mailto:<A 
HREF="mailto:mrousseau () SECURED ORG">mrousseau () SECURED ORG</A
>
<mailto:<A 
HREF="mailto:mrousseau () SECURED ORG">mrousseau () SECURED ORG</A
> > ]

Sent: Sunday, May 21, 2000 5:42 PM
To: <A HREF="mailto:VULN-DEV () SECURITYFOCUS COM">VULN-
DEV () SECURITYFOCUS COM</A>
Subject: Re: Outlook HTML VBS (demo)

The easy way is to build the HTML in notepad with the 
scripts in it
then open the html doc with Word and send the eMail using 
the little
eMail button in word.
As you can see, this eMail message would pop a box on a 
vulnerable
outlook and not on those who don't allow scripting. The 
only function
in this demo is an alert() box but it could be pretty much 
anything.

M.

<FONT COLOR="#222255">> -----Original Message-----</FONT>
<FONT COLOR="#222255">> From: VULN-DEV List [ mailto:<A 
HREF="mailto:VULN-DEV () SECURITYFOCUS COM">VULN-
DEV () SECURITYFOCUS COM</A></FONT>
<mailto:<A HREF="mailto:VULN-DEV () SECURITYFOCUS COM">VULN-
DEV () SECURITYFOCUS COM</A>> ]On Behalf
<FONT COLOR="#222255">> Of Joerg Weber</FONT>
<FONT COLOR="#222255">> Sent: Sunday, May 21, 2000 12:28 
PM</FONT>
<FONT COLOR="#222255">> To: <A HREF="mailto:VULN-
DEV () SECURITYFOCUS COM">VULN-DEV () SECURITYFOCUS COM</A></FONT>
<FONT COLOR="#222255">> Subject: Outlook, HTML & VBS</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> BB, Everyone,</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> this certainly is a lame question 
but Outlook isn't exactly my</FONT>
<FONT COLOR="#222255">> speciality :)</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> I'm trying to embedd a script into 
a mail that pops up a MsgBox</FONT>
<FONT COLOR="#222255">> telling the user (s)he is 
vulnerable to vbs-scripting virii. Now,</FONT>
<FONT COLOR="#222255">> attaching this is sorta lame. So 
I'm trying to have Outlook execute</FONT>
<FONT COLOR="#222255">>  the script when the message is 
read.</FONT>
<FONT COLOR="#222255">> Could someone explain how you 
create arbitrary HTML code so Outlook</FONT>
<FONT COLOR="#222255">>  renders/executes it? I've that far 
just been able to use Outlooks</FONT>
<FONT COLOR="#222255">> build-in formating features.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> Thanks everyone!</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>       Joerg</FONT>
<FONT COLOR="#222255">></FONT>

- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <
<A TARGET=nonlocal 
HREF="/external/http://www.pgp.com";><A HREF="http://www.pgp.com</A">http://www.pgp.com</A</A>>
<<A TARGET=nonlocal 
HREF="/external/http://www.pgp.com>">http://www.pgp.com></A>
>

iQA/AwUBOSlRbhTf9Weyc+/pEQJFxwCgz4e9x+yrwQc++6b/eV/qei9deSwA
oOMB
WToxfLBEE6tTvi2mY+ehZsZD
=WPIt
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <<A 
TARGET=nonlocal 
HREF="/external/http://www.pgp.com>">http://www.pgp.com></A>

iQA/AwUBOSlbQhTf9Weyc+/pEQIPkACg77222B2BgAO7loVpnG9YYfm5XOoA
nibx
kbhL4nTzykVGH4f/RrgD/brK
=a9oo
-----END PGP SIGNATURE-----