Full Disclosure mailing list archives
UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1
From: full-disclosure () lists netsys com (http-equiv () excite com)
Date: Thu, 25 Jul 2002 15:36:26 -0000
Doug Monroe <monwel () interhack net> said:
"http-equiv () excite com" wrote:Tuesday, July 23, 2002 Trivial silent delivery and installation of an executable on a
target
computer. This can be accomplished with the default installation
of
the mail client Eudora 5.1.1: 'allow executables in HTML content' DISABLED 'use Microsoft viewer' ENABLED[snip]Working Example:[snip]http://www.malware.com/boodora.txt Notes: disable 'use Microsoft viewer'A Eudora expert I am not, but I suppose one could also change HKCU/software/qualcomm/eudora/launchmanager/path#2 from "c:\windows\application data\qualcomm\eudora\embedded" or "c:\program files\qualcomm\eudora pro\embedded" to some other, non-default folder name. New folder must exist before running eudora again. And... add mhtml to "WarnExtentions#X" key values?
Doug, excellent point. 1. Yes, if you can relocate the embedded folder. Better. 2. No. adding warnings to extensions appears to be useless: Just tested something here. Typically IE can or will open files depending what the contents are regardless of the extension that it is: <html> tag in a gif or some other file type should or can be rendered by IE for what the contents are, not the extension. New Note 25.7.02: trying that with the above demo, creating & depositing only malware.exe and malware [no file exetension] yielded some very interesting results. <META http-equiv=refresh content="1; url=file://C:\WINDOWS\Application Data\Qualcomm\Eudora\Embedded\malware"> Expecting IE to spring open with the non-extension'd mhtml file fully functional, we find that in fact it does not. We find that the malware.exe is immediately executed. Removing the mhtml file from the embedded folder and leaving only malware.exe in there, the meta refresh pointing to 'malware' only [no extension at all] appears to execute the *.exe directly -- no need for the mhtml file at all. Could be an anomaly with this machine, but simply send yourself the meta refresh pointing to malware minus extension, place an executable with the same name in the embedded folder and see if it executes. No time right now to grind it into powder. -- http://www.malware.com
Current thread:
- REFRESH: EUDORA MAIL 5.1.1 http-equiv () excite com (Jul 24)
- Re: REFRESH: EUDORA MAIL 5.1.1 Doug Monroe (Jul 25)
- UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1 http-equiv () excite com (Jul 25)
- Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1 Jeff Kell (Jul 25)
- Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1 Nick FitzGerald (Jul 25)
- Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1 http-equiv () excite com (Jul 26)
- Re: REFRESH: EUDORA MAIL 5.1.1 Bill Timmins (Jul 26)
- UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1 http-equiv () excite com (Jul 25)
- Re: REFRESH: EUDORA MAIL 5.1.1 Doug Monroe (Jul 25)
- <Possible follow-ups>
- REFRESH: EUDORA MAIL 5.1.1 http-equiv () excite com (Jul 24)