File Selection May Lead to Command Execution

Affected applications:

Windows Explorer on Windows 2000 Professional.
Windows Explorer on Windows 2000 Server.
Windows Explorer on Windows 2000 Advanced Server.

Exploit details..

When the preview pane outputs the document's author name, it checks whether the name resembles an email address, and if so, transforms it into a 'mailto:' link in the pane.

The transformation into a link does not filter potentially dangerous characters and makes it possible to inject attributes into the link, which enables execution of arbitrary script commands.

Script commands that are injected in this manner will execute as soon as the malicious file is selected in Windows Explorer and will be executed in a trusted context, which means they will have the ability to perform any action the currently logged on user can perform. This includes reading, deleting and writing files, as well as executing arbitrary commands.

Notice that the malicious file does not need to be executed in order to activate the exploit, double-clicking is not required. The exploitation takes place as soon as the file is selected.

Read More