[14305] in bugtraq
Re: IE and Outlook 5.x allow executing arbitrary programs using
daemon@ATHENA.MIT.EDU (Sylwester =?iso-8859-2?Q?Zar=EAbsk)
Thu Mar 16 21:29:36 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
Message-Id: <38CF5DFB.30613F98@isp.net.pl>
Date: Wed, 15 Mar 2000 10:55:07 +0100
Reply-To: Sylwester =?iso-8859-2?Q?Zar=EAbski?= <sylwek@ISP.NET.PL>
From: Sylwester =?iso-8859-2?Q?Zar=EAbski?= <sylwek@ISP.NET.PL>
X-To: Bugtraq mailing list <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Georgi Guninski wrote:
>
> Georgi Guninski security advisory #9, 2000
>
> IE and Outlook 5.x allow executing arbitrary programs using .eml files
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT (probably
> others) which allows executing arbitrary programs using .eml files.
> This may be exploited when browsing web pages or openining an email
> message in Outlook.
> This may lead to taking control over user's computer.
> It is also possible to read and send local files.
>
> Details:
> The problem is creating files in the TEMP directory with known name and
> arbitrary content.
> One may place a .chm file in the TEMP directory which contains the
> "shortcut" command and when the .chm file is opened with the showHelp()
> method programs may be executed.
> This vulnerability may be exploited by HTML email message in Outlook.
[..cut..]
> Demonstration which starts Wordpad:
> http://www.nat.bg/~joro/eml.html
>
> Workaround: Disable Active Scripting.
This doesn't work for my Win2000 with IE5.0. It only prompts me for saving
*.chm file, without running. I can accept this and run, but this exclude
working background.
--
pozdrawiam..
## ## | Sylwester Zarjbski - ISP Group |
#### ## | e-mail: sylwek@isp.net.pl |
## ## ## | ICQ uin: #45780888 |
## #### ## | Administrator ISP.NET.PL |
