[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
- To: "Joxean Koret" <joxeankoret@xxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
- From: "Kingcope" <kingcope@xxxxxxx>
- Date: Fri, 23 Mar 2007 11:32:07 +0100
Hello,
I just tested it with UNC paths,
and yes this works too, but you have to
press on the yes button when it asks because
the file is not authorized (it comes from remote).
After pressing Yes one time it gets executed.
Normally Windows Mail does not execute
exe or other executable files, now it does :-)
Thank you for this nice idea Joxean Koret.
Regards,
kcope
----- Original Message -----
From: "Joxean Koret" <joxeankoret@xxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxxx>; <kingcope@xxxxxxx>
Sent: Friday, March 23, 2007 11:15 AM
Subject: RE: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client
Side Code Execution Vulnerability
> Hi,
>
> Did you test it using UNC paths? It may be a way to
> truly execute arbitrary code.
>
> Regards,
> Joxean Koret
>
>>Exploit:
>>Send a HTML email message containing the URL:
>><a href="c:/windows/system32/winrm?">Click here!</a>
>>or
>><a href="c:/windows/system32/migwiz?">Click here!</a>
>>and winrm.cmd/migwiz.exe gets executed without asking
>
>>for permission.
>>These are just examples.
>>
>>I could not pass arguments to winrm (hehe this would
>>be beautiful), but I guess there
>>are several attack vectors.
>
>
>
> ______________________________________________
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y móviles desde 1 céntimo por minuto.
> http://es.voice.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/