Re: IE and Outlook 5.x allow executing arbitrary programs using .emlfiles

[sylwek () ISP NET PL (Sylwester Zarębski)]

Georgi Guninski wrote:
> Georgi Guninski security advisory #9, 2000
>
> IE and Outlook 5.x allow executing arbitrary programs using .eml files
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or  indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT (probably
> others) which allows executing arbitrary programs using .eml files.
> This may be exploited when browsing web pages or openining an email
> message in Outlook.
> This may lead to taking control over user's computer.
> It is also possible to read and send local files.
>
> Details:
> The problem is creating files in the TEMP directory with known name and
> arbitrary content.
> One may place a .chm file in the TEMP directory which contains the
> "shortcut" command and when the .chm file is opened with the showHelp()
> method programs may be executed.
> This vulnerability may be exploited by HTML email message in Outlook.

[..cut..]

> Demonstration which starts Wordpad:
> http://www.nat.bg/~joro/eml.html
>
> Workaround: Disable Active Scripting.

This doesn't work for my Win2000 with IE5.0. It only prompts me for saving
*.chm file, without running. I can accept this and run, but this exclude
working background.

--
pozdrawiam..

       ## ##      | Sylwester ZarĂŞbski - ISP Group |
      #### ##     |   e-mail: sylwek () isp net pl    |
     ##  ## ##    |      ICQ uin: #45780888        |
    ##  #### ##   |    Administrator ISP.NET.PL    |