RE: [Full-Disclosure] MicroSopht IE (on XPee only) launches messenger by callto:gates or outlook by outlook:calendar protocols

[KM]

I pointed out the use of the Outlook: protocol in http://seclists.org/lists/fulldisclosure/2004/Jul/0460.html.  I have yet to find a way that it can be exploited.   As for the Callto: protocol, that is one of many registered URL types.  If you look in Folder Options > File Types you will see a list of the registered URL types.  Such as tn3270, telnet, LDAP, rlogin etc.  Again, no obvious way to exploit these.  One trick I found interesting but not exploitable to my knowledge other than confusing the hell out of a web user is to put a tn3270 or rlogin link in an href like “<a href="" href="tn3270:servername%2033033">tn3270:servername 33033>a link</a>.  Then run Netcat with the following command on the server “nc –l –p 33033 < hamlet.txt”.  It will cause a telnet window to open on the user’s system and the entire text of hamlet (or whatever you choose even binaries) to scroll across the screen.    Other than using these tricks to fool users into doing some thing stupid I don’t know of any way to exploit any of these. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Good One Sent: Saturday, July 10, 2004 5:25 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] MicroSopht IE (on XPee only) launches messenger by callto:gates or outlook by outlook:calendar protocols   Micro$opht IE (on XPee only) launches messenger by callto:gates or outlook by outlook:calendar protocols   For outlook there exists a wide range of other shorcuts as well. Just verify left pane of outlook shortcuts ...   try to open iframe with any of those protocols and you will get outlook open (or at least wizard to configure it will be called).   -SomeMan ALL-NEW Yahoo! Messenger - sooooo many all-new ways to express yourself