lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200407111351.i6BDpau17136@netsys.com>
From: common at mccanless.us (KM)
Subject: MicroSopht IE (on XPee only) launches messenger by callto:gates or outlook by outlook:calendar protocols

I pointed out the use of the Outlook: protocol in
http://seclists.org/lists/fulldisclosure/2004/Jul/0460.html.  I have yet to
find a way that it can be exploited.

 

As for the Callto: protocol, that is one of many registered URL types.  If
you look in Folder Options > File Types you will see a list of the
registered URL types.  Such as tn3270, telnet, LDAP, rlogin etc.  Again, no
obvious way to exploit these.  One trick I found interesting but not
exploitable to my knowledge other than confusing the hell out of a web user
is to put a tn3270 or rlogin link in an href like "<a href=tn3270:servername
33033>a link</a>.  Then run Netcat with the following command on the server
"nc -l -p 33033 < hamlet.txt".  It will cause a telnet window to open on the
user's system and the entire text of hamlet (or whatever you choose even
binaries) to scroll across the screen.  

 

Other than using these tricks to fool users into doing some thing stupid I
don't know of any way to exploit any of these.

  _____  

From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Good One
Sent: Saturday, July 10, 2004 5:25 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] MicroSopht IE (on XPee only) launches messenger
by callto:gates or outlook by outlook:calendar protocols

 

Micro$opht IE (on XPee only) launches messenger by callto:gates or outlook
by outlook:calendar protocols

 

For outlook there exists a wide range of other shorcuts as well. Just verify
left pane of outlook shortcuts ...

 

try to open iframe with any of those protocols and you will get outlook open
(or at least wizard to configure it will be called).

 

-SomeMan

  _____  

 <http://uk.rd.yahoo.com/evt=21626/*http:/uk.messenger.yahoo.com> ALL-NEW
Yahoo! Messenger - sooooo many all-new ways to express yourself 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040711/4470f95a/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ