Bugtraq mailing list archives
Re: Exploit using Eudora and the Guninski hole
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Wed, 20 Sep 2000 14:35:39 +0800
At 03:47 PM 19-09-2000 -0400, Louis-Eric Simard wrote:
TESTED SYSTEMS Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora have not been tested.
PROBLEM DESCRIPTION Eudora saves all attachments in a single directory upon receiving the mail; a mail message need not be open for its attachment to be decoded and saved in that common directory. An intruder need only send an e-mail with a trojaned DLL as described in the Guninski advisory, along with or followed by an e-mail containing a Word document.
DEMONSTRATION A dummy RICHED20.DLL file is attached here. To test the security hole, simply mail this file along with the supplied (or any) Word file, then click on the Word file. After a few seconds, a message box titled "Gotcha" will appear, indicating "Fake RICHED20.DLL loaded."
Earlier versions of Eudora (1.x - 3.x) should thus be vulnerable as well since it's common for users to have a single attachment directory. It's not even necessary to send a word document. Once the dll is there, if the user opens OTHER suitable documents in the same directory, the trojan dll will be loaded. This is what makes it more dangerous. Being subscribed to Bugtraq is getting rather more hazardous, I sure hope Mr Simard's dll is harmless :). Fortunately my Bugtraq attachment directory is different from my office attachment directory. But in the future we could see something like "binary chemical weapons" where non or sublethal payloads combine to create a lethal payload. This can make detection harder, as the various payloads could come from different sources. And the trigger could be from an innocent party. We probably can't use the "binary" term in this field as it would be confusing and redundant. "Beware of binary dlls" yeah right ;). I am sure there are other cases where things are dumped into the same directory. The windows temp directory comes to mind. Maybe one could be tricked into storing the dll in suitable areas- by setting the MIME content type at the webserver, you should in theory be able to tell the browser it's an image, audio, or even word document. But once it's downloaded it will be treated as a dll due to the extension. Cheerio, Link.
Current thread:
- Exploit using Eudora and the Guninski hole Louis-Eric Simard (Sep 19)
- Re: Exploit using Eudora and the Guninski hole Lincoln Yeoh (Sep 20)
- Re: Exploit using Eudora and the Guninski hole David LeBlanc (Sep 21)
- Re: Exploit using Eudora and the Guninski hole Signal 11 (Sep 22)
- Re: Exploit using Eudora and the Guninski hole Nick FitzGerald (Sep 21)