RE: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

To: "'Morning Wood'" <se_cur_ity@xxxxxxxxxxx>
Subject: RE: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
From: "Brett Moore" <brett.moore@xxxxxxxxxxxxxxx>
Date: Tue, 9 Oct 2007 16:29:01 +1300
Cc: "'Thierry Zoller'" <Thierry@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcgKJIi6ny1mpvljQUitXnqGFw8KZA==

Hey.

I've been waiting to see when somebody finally got around to testing
Outlook express. 

It's also possible to exploit this through Outlook full version from
office 2003. 

I have also discovered other problems (not difficult to fine) which
allows the execution of any program which has registered as a 
document handler, with the URL been passed to it. 

This gets interesting when the local application has problems such
as a command line buffer overflow.

I'm guessing this is similar to what has been documented here.
 http://xs-sniper.com/blog/2007/09/01/firefox-file-handling-woes/

.brett


On 10/8/07, Morning Wood <se_cur_ity@xxxxxxxxxxx> wrote:
> these work inside OE, default with html turned off
> they do not work when clicked from a normal
> local html.
> 
> ----- Original Message -----
> From: "Thierry Zoller" <Thierry@xxxxxxxxx>
> To: <bugtraq@xxxxxxxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx>
> Sent: Saturday, October 06, 2007 8:06 AM
> Subject: Re: [Full-disclosure] URI handling woes in Acrobat Reader,
> Netscape,Miranda, Skype
> 
> 
> > Dear All,
> >
> > mailto:test%../../../../windows/system32/calc.exe".cmd
> > I would deem 1 and 3 as resonable (intented) behaviour.
> >
> >>2) now do the very same thing on a system with Windows XP and IE7.
> >>calc.exe is executed.
> > Confirmed here, that's definately a Problem, and should be linked to
> > the Windows URI Handler. (IMHO)
> >
> >
> > The behaviour is this :
> > The extension determines the handler to use to shell
> > "../../../../windows/system32/calc.exe"
> >
> > Example :
> > mailto:test%../../../../windows/system32/calc.exe".cmd
> > Usese the cmd handler to open calc (which executes)
> >
> > mailto:test%../../../../windows/system32/calc.exe".txt
> > uses notepad and tries to open calc.
> >
> > Somethings definately broken with the URI handler (imho)
> >
> >
> > --
> > http://secdev.zoller.lu
> > Thierry Zoller
> > Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Prev by Date: LedgerSMB < 1.2.8, SQL-Ledger 2.x Multiple SQL Injection Issues
Next by Date: Re: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype
Previous by thread: LedgerSMB < 1.2.8, SQL-Ledger 2.x Multiple SQL Injection Issues
Next by thread: [USN-527-1] xen-3.0 vulnerability
Index(es):
- Date
- Thread