Hey. I've been waiting to see when somebody finally got around to testing Outlook express. It's also possible to exploit this through Outlook full version from office 2003. I have also discovered other problems (not difficult to fine) which allows the execution of any program which has registered as a document handler, with the URL been passed to it. This gets interesting when the local application has problems such as a command line buffer overflow. I'm guessing this is similar to what has been documented here. http://xs-sniper.com/blog/2007/09/01/firefox-file-handling-woes/ .brett On 10/8/07, Morning Wood <se_cur_ity@xxxxxxxxxxx> wrote: > these work inside OE, default with html turned off > they do not work when clicked from a normal > local html. > > ----- Original Message ----- > From: "Thierry Zoller" <Thierry@xxxxxxxxx> > To: <bugtraq@xxxxxxxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx> > Sent: Saturday, October 06, 2007 8:06 AM > Subject: Re: [Full-disclosure] URI handling woes in Acrobat Reader, > Netscape,Miranda, Skype > > > > Dear All, > > > > mailto:test%../../../../windows/system32/calc.exe".cmd > > I would deem 1 and 3 as resonable (intented) behaviour. > > > >>2) now do the very same thing on a system with Windows XP and IE7. > >>calc.exe is executed. > > Confirmed here, that's definately a Problem, and should be linked to > > the Windows URI Handler. (IMHO) > > > > > > The behaviour is this : > > The extension determines the handler to use to shell > > "../../../../windows/system32/calc.exe" > > > > Example : > > mailto:test%../../../../windows/system32/calc.exe".cmd > > Usese the cmd handler to open calc (which executes) > > > > mailto:test%../../../../windows/system32/calc.exe".txt > > uses notepad and tries to open calc. > > > > Somethings definately broken with the URI handler (imho) > > > > > > -- > > http://secdev.zoller.lu > > Thierry Zoller > > Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
