Vulnerability Development mailing list archives
Re: possible new "e-mail virus" concept ? + bypassing IE settings
From: silvio () CIKEL COM BR (Silvio L. Nisgoski)
Date: Fri, 19 May 2000 10:17:36 -0300
Generally, 98 or NT will create a file with a [1] at the end of the name when there is already a file with a similar name in the cache folder. ----- Original Message ----- From: "Zoa_Chien" <zoa_chien () INAME COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Friday, May 19, 2000 5:18 AM Subject: Re: possible new "e-mail virus" concept ? + bypassing IE settings
At 23:55 18-5-00 -0700, you wrote:Jim Paris wrote: Agreed. Both IE and Netscape make up new filenames for things they
cache,
and keep a separate index file for their real names. I don't think creative naming by the server is going to get things placed where you
want
on the client disk. I love the who idea in general though, if you can find a way to trick the browser/user into executing the code. BBi know that on NT (just tested), the filenames are changed to owner@filename[1].ext, but on a windows 98, i don't notice anything concerning a seperate index file for their real names. Those filenames do not get scrambled into something like AdFGsg.Fdz It might be that a [1] is added at the end of the filename too on windows 98, but dunno for sure, and i don't have axx to a win98 for the moment.
But
i am pretty sure that the filenames do not get indexed and are not scrambled. (just check your temp internet files on win98 to be sure and
let
me know.) Does this mean we might be able to write c:\autoexec[1].bat but not c:\autoexec.bat ? Isn't there something like a deletion key hex code we could use to bypass this ? If overwriting of the autoexec.bat is not possible, can we write something like porn.bat to the root dir ? and hope the stupid users will be get curious and run the code ? I would be really amazed if IE would have a client side check for files that contain /../ in the filename it finds in .html files... if you try to open a file in IE, the ../filename trick will work fine to get to a lower dir, saving as such a file is not allowed, because it is not allowed by explorer.exe (explorer doesn't allow manual input of files that contain
"/"
"\" etc) I don't think the cache writing system uses explorer.exe to write files, so i think filenames will not get checked... but as mentioned before i don't know for sure... Thnx for the responses ! Zoa_Chien www.securax.org
Current thread:
- Windows IP Fragment Reassembly Vulnerability, (continued)
- Windows IP Fragment Reassembly Vulnerability Masial (May 20)
- Re: Windows IP Fragment Reassembly Vulnerability Mikael Olsson (May 21)
- Re: Outlook HTML VBS (demo) Michael Hendy (May 21)
- Re: Outlook HTML VBS (demo) Masial (May 22)
- Re: Windows IP Fragment Reassembly Vulnerability Blue Boar (May 21)
- krb5 1.1.1 Mariusz Woloszyn (May 22)
- Re: Windows IP Fragment Reassembly Vulnerability Pete Philips (May 23)
- Re: UPDATE on possible new "e-mail virus" concept ? Bluefish (May 20)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings Silvio L. Nisgoski (May 19)
- Anyone have a copy of the New LoveYou code! Rich Dube (May 19)