Bugtraq mailing list archives

Re: Exploit using Eudora and the Guninski hole

From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Wed, 20 Sep 2000 14:35:39 +0800

At 03:47 PM 19-09-2000 -0400, Louis-Eric Simard wrote:

  TESTED SYSTEMS
  Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora
have not been tested.


  PROBLEM DESCRIPTION
  Eudora saves all attachments in a single directory upon receiving the
mail; a mail message need not be open for its attachment to be decoded
  and saved in that common directory. An intruder need only send an e-mail
with a trojaned DLL as described in the Guninski advisory, along with
  or followed by an e-mail containing a Word document.

  DEMONSTRATION
  A dummy RICHED20.DLL file is attached here. To test the security hole,
simply mail this file along with the supplied (or any) Word file, then
  click on the Word file. After a few seconds, a message box titled
"Gotcha" will appear, indicating "Fake RICHED20.DLL loaded."


Earlier versions of Eudora (1.x - 3.x) should thus be vulnerable as well
since it's common for users to have a single attachment directory.

It's not even necessary to send a word document. Once the dll is there, if
the user opens OTHER suitable documents in the same directory, the trojan
dll will be loaded.

This is what makes it more dangerous.

Being subscribed to Bugtraq is getting rather more hazardous, I sure hope
Mr Simard's dll is harmless :). Fortunately my Bugtraq attachment directory
is different from my office attachment directory.

But in the future we could see something like "binary chemical weapons"
where non or sublethal payloads combine to create a lethal payload.

This can make detection harder, as the various payloads could come from
different sources. And the trigger could be from an innocent party.

We probably can't use the "binary" term in this field as it would be
confusing and redundant. "Beware of binary dlls" yeah right ;).

I am sure there are other cases where things are dumped into the same
directory. The windows temp directory comes to mind.

Maybe one could be tricked into storing the dll in suitable areas- by
setting the MIME content type at the webserver, you should in theory be
able to tell the browser it's an image, audio, or even word document. But
once it's downloaded it will be treated as a dll due to the extension.

Cheerio,

Link.

Current thread:

Exploit using Eudora and the Guninski hole Louis-Eric Simard (Sep 19)
- Re: Exploit using Eudora and the Guninski hole Lincoln Yeoh (Sep 20)
- Re: Exploit using Eudora and the Guninski hole David LeBlanc (Sep 21)
  - Re: Exploit using Eudora and the Guninski hole Signal 11 (Sep 22)
- Re: Exploit using Eudora and the Guninski hole Nick FitzGerald (Sep 21)