Re: Exploit using Eudora and the Guninski hole

[Nick FitzGerald <nick () virus-l demon co uk>]

> SIMARD SECURITY ADVISORY 20000919.1
> by Louis-Eric Simard, Security Consultant (Louis-Eric () Simard com)
<<snip>>
>    TESTED SYSTEMS
>    Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora
> have not been tested.

...but most older ones (going *way* back to erly Win16
implementations) are also vulnerable.

>    SYNOPSIS
>    A malicious intruder can easily take control of a Windows environment by
> simply sending one or more e-mails containing attachments conforming to
>    the description set in the Georgi Guninski security advisory #21 if the
> receiver is using Eudora as a mail client.
>
>    PROBLEM DESCRIPTION
>    Eudora saves all attachments in a single directory upon receiving the
> mail; a mail message need not be open for its attachment to be decoded
>    and saved in that common directory. An intruder need only send an e-mail
> with a trojaned DLL as described in the Guninski advisory, along with
>    or followed by an e-mail containing a Word document.

Always hated that option.  I couldn't see why anyone with a hint of a
clue about security would like it.  Was dumb-founded it was ever made
the default...

>    DEMONSTRATION
<<snip>>
>    ACKNOWLEDGEMENTS
<<snip>>
>    COMMENTS
<<snip>>
>    DISCLAIMER
<<snip>>

The advisory would have been better had you mentioned that although
this is the *default* behaviour of Eudora, it is configurable and can
be easily disabled.  There have been other exploits based on the
utter predicability of this behaviour -- anyone still running Eudora
with this option enabled needs their head read.


Regards,

Nick FitzGerald