Vulnerability Development mailing list archives
Re: Outlook HTML VBS (demo)
From: mrousseau () LABCAL COM (Maxime Rousseau)
Date: Thu, 25 May 2000 14:25:39 -0400
In reply to some messages.. ! -----Original Message----- ! From: Hull, Dave ! Sent: Tuesday, May 23, 2000 8:44 AM ! ! ! Your message with the alert() call in it did popup on my Outcrook. I ! tried creating an html message using <Script language = ! VBScript></VBScript> tags with code that would create a new registry ! entry, but it failed everytime. This may be because my code wasn't ! quite right, but I was borrowing heavily from ILY, so I think it was ! fine. I think you might want to try <SCRIPT LANGUAGE="VBScript"> blah </SCRIPT> if the closing vbscript tag did not work. I had never seen a </vbscript> tag before, maybe thats your problem. <snip> ! controls. However, just because you can cause a popup window using ! the javascript alert() call doesn't mean that a particular ! installation of Outlook is vulnerable to more dangerous attacks. ! Nevertheless, it's probably a good idea to have scripts turned off ! anyway. I think having a eMail thats capable of processing commands is asking for trouble. Even if the thing in itself is pretty much sandboxed, its only a question of time before the next Eyedog vulnerability hits the streets and whoever wants to penetrate your network races you up on that. Disabling the scripts is THE solution, we agree on this. I have yet to hear a single reason why an eMail should have scripts or any other kind of active content. Marko Ernvall also said the code was "old and obvious", of course it is. But you know, those usually work best :) It has implications that some people dont really get i fear. Say i send spam but im unsure if all the addresses in my database are accurate, i send you this kind of eMail that makes an IFRAME in your mail or pops another window to my CGI that records say your eMail, windows version, OS type and all the other wonderfull information you can gather via this. Heres a quick list taken from msdn web workshop that lists info that someone could tag to your eMail via this trick: appCodeName Retrieves the code name of the browser. appMinorVersion Retrieves the application's minor version value. appName Retrieves the name of the browser. appVersion Retrieves the platform and version of the browser. browserLanguage Retrieves the current browser language. cookieEnabled Retrieves whether client-side cookies are enabled in the browser. cpuClass Retrieves a string denoting the CPU class. javaEnabled Returns whether Java is enabled. onLine Retrieves whether the system is in global offline mode. platform Retrieves the name of the user's operating system. systemLanguage Retrieves the default language used by the system. userAgent Retrieves a string equivalent to the HTTP user-agent request header. userLanguage Retrieves the current user language. Thats all very interesting information to know if i want to infect you or penetrate your network. Information that you leak via letting scripts run in emails. We are lucky the Outlook patch fixes all that! (not). M. [moo]
Current thread:
- Re: Windows DoS code (jolt2.c), (continued)
- Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
- Re: Windows DoS code (jolt2.c) Brian S. DuRoss (May 27)
- Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
- Re: Windows DoS code (jolt2.c) Brad Spengler (May 29)
- Re: Windows DoS code (jolt2.c) Mikael Olsson (May 28)