Bugtraq mailing list archives
Re: Exploit using Eudora and the Guninski hole
From: David LeBlanc <dleblanc () MINDSPRING COM>
Date: Wed, 20 Sep 2000 10:18:14 -0700
At 03:47 PM 9/19/00 -0400, Louis-Eric Simard wrote:
SYNOPSIS A malicious intruder can easily take control of a Windows environment by simply sending one or more e-mails containing attachments conforming to the description set in the Georgi Guninski security advisory #21 if the receiver is using Eudora as a mail client.
However, there are a few work-arounds. The first is to simply place a real copy of this DLL in that directory - any new ones will get incremented names, and Word won't pick them up. The second is to properly ACL this directory. The way to do this is to open Explorer, right click on the eudora\attach directory, choose Properties, Security. Bring up the permissions dialogs, and for each listed group that has access, choose Special File Access from the drop-down. Uncheck the Execute box in the dialog that pops up. Do not remove execute permissions at the directory level, as it causes problems (and is only needed for listing the directory). Make sure that the 'Replace Permissions on Existing Files' is checked. This method also keeps anyone else who might be using the machine from running executable content delivered by mail without copying the file somewhere. Note that moving a file out of this directory will take its permissions with it, but copying it will get the permissions from the new directory. This solution will also prevent any future attacks based on the same method. I have tested this, and it works. The exact steps listed above are for NT 4.0, and will vary slightly on Win2k due to ACL editor UI changes. This should also be possible with xcacls (Resource Kit util) so that it could be scripted, but I haven't sorted out the exact arguments at the moment. I also think it might have been polite to have placed a _link_ to the test DLL rather than delivering it directly. You've actually attacked anyone running Eudora, which is a little rude. If I hadn't had Word already running this morning, this could have caused some annoyance when I went to edit a document. Also, anyone wanting to test this who is using Outlook with the extra security settings wouldn't have seen the DLL. BTW, a third work-around is to simply open Word in some other way, and then click on the document - the DLL is then already loaded and won't load again. In general, it is best to remove execute permissions for files contained in any directories where e-mail or your browser might place downloaded or temporary content. This preventative measure defeats a variety of attacks, both via e-mail and browser. David LeBlanc dleblanc () mindspring com
Current thread:
- Exploit using Eudora and the Guninski hole Louis-Eric Simard (Sep 19)
- Re: Exploit using Eudora and the Guninski hole Lincoln Yeoh (Sep 20)
- Re: Exploit using Eudora and the Guninski hole David LeBlanc (Sep 21)
- Re: Exploit using Eudora and the Guninski hole Signal 11 (Sep 22)
- Re: Exploit using Eudora and the Guninski hole Nick FitzGerald (Sep 21)