I am still unable to replicate. It launches FireFox (2.0.0.7) for me
on my system and yeilds the error page "Firefox can't find the server
at %xx..."
If I replace the "%xx" with a null byte (inspired by the recent
protocol handler problems in FF), then it still doesn't work, as per
the mIRC string: http: $+ $chr(0) $+
../../../../../../../../../../../windows/system32/calc.exe"
So far, with various permutations of protocol handlers and odd
characters, I can't reproduce this.
Greg
3APA3A wrote:
> Dear Gavin Hanover,
>
> In this very case it's really seems to be mIRC problem ("unfiltered
> shell characters"). It doesn't depend on URL handler and will work with
> any valid URL handler. You can reproduce same vulnerability by entering
>
> http:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
>
> Exploitable under Windows XP, not exploitable under Vista.
>
> --Wednesday, October 3, 2007, 11:59:45 PM, you wrote to
jinc4fareijj (at) hotmail (dot) com [email concealed]:
>
> GH> is this a mirc bug or a mail client bug?
>
>>> mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".ba
t
>>>
>
(Interested in encrypting your email? Please ask me how.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
Hash: SHA1
I am still unable to replicate. It launches FireFox (2.0.0.7) for me
on my system and yeilds the error page "Firefox can't find the server
at %xx..."
If I replace the "%xx" with a null byte (inspired by the recent
protocol handler problems in FF), then it still doesn't work, as per
the mIRC string: http: $+ $chr(0) $+
../../../../../../../../../../../windows/system32/calc.exe"
So far, with various permutations of protocol handlers and odd
characters, I can't reproduce this.
Greg
3APA3A wrote:
> Dear Gavin Hanover,
>
> In this very case it's really seems to be mIRC problem ("unfiltered
> shell characters"). It doesn't depend on URL handler and will work with
> any valid URL handler. You can reproduce same vulnerability by entering
>
> http:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
>
> Exploitable under Windows XP, not exploitable under Vista.
>
> --Wednesday, October 3, 2007, 11:59:45 PM, you wrote to
jinc4fareijj (at) hotmail (dot) com [email concealed]:
>
> GH> is this a mirc bug or a mail client bug?
>
>>> mailto:%xx../../../../../../../../../../../windows/system32/calc.exe".ba
t
>>>
>
- --
Greg Rubin
grrubin (at) gmail (dot) com [email concealed]
GPG: 0x79D0A517
(Interested in encrypting your email? Please ask me how.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHBQ715KDU23nQpRcRAm4UAKCv4xq/V4pz+uAlPBmb06yEGN4MKQCg7lk1
9JOhTzWLeJs/N4OCjSRuNKk=
=//Ll
-----END PGP SIGNATURE-----
[ reply ]