Bugtraq mailing list archives
Re: Exploit using Eudora and the Guninski hole
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 21 Sep 2000 04:53:28 +1200
SIMARD SECURITY ADVISORY 20000919.1 by Louis-Eric Simard, Security Consultant (Louis-Eric () Simard com)
<<snip>>
TESTED SYSTEMS Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora have not been tested.
...but most older ones (going *way* back to erly Win16 implementations) are also vulnerable.
SYNOPSIS A malicious intruder can easily take control of a Windows environment by simply sending one or more e-mails containing attachments conforming to the description set in the Georgi Guninski security advisory #21 if the receiver is using Eudora as a mail client. PROBLEM DESCRIPTION Eudora saves all attachments in a single directory upon receiving the mail; a mail message need not be open for its attachment to be decoded and saved in that common directory. An intruder need only send an e-mail with a trojaned DLL as described in the Guninski advisory, along with or followed by an e-mail containing a Word document.
Always hated that option. I couldn't see why anyone with a hint of a clue about security would like it. Was dumb-founded it was ever made the default...
DEMONSTRATION
<<snip>>
ACKNOWLEDGEMENTS
<<snip>>
COMMENTS
<<snip>>
DISCLAIMER
<<snip>> The advisory would have been better had you mentioned that although this is the *default* behaviour of Eudora, it is configurable and can be easily disabled. There have been other exploits based on the utter predicability of this behaviour -- anyone still running Eudora with this option enabled needs their head read. Regards, Nick FitzGerald
Current thread:
- Exploit using Eudora and the Guninski hole Louis-Eric Simard (Sep 19)
- Re: Exploit using Eudora and the Guninski hole Lincoln Yeoh (Sep 20)
- Re: Exploit using Eudora and the Guninski hole David LeBlanc (Sep 21)
- Re: Exploit using Eudora and the Guninski hole Signal 11 (Sep 22)
- Re: Exploit using Eudora and the Guninski hole Nick FitzGerald (Sep 21)