Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

[FWD] MSIE vulnerability exploitable with Eudora (and IncrediMail)

From: Magnus Bodin <magnus () bodin org>
Date: Sat, 16 Mar 2002 17:38:57 +0100


FYI. Eudora (and Incredimail) could be used as trojan injectors as they
automatically decode and stores attachment in a commonly known directory.


----- Forwarded message from Magnus Bodin <magnus () bodin org> -----

From: Magnus Bodin <magnus () bodin org>
Date: Sat, 16 Mar 2002 17:23:16 +0100
To: Eric Detoisien <eric.detoisien () global-secure fr>
Cc: support () incredimail com, bugtraq () securityfocus com, bugs () eudora com,
        eudora-bugs () qualcomm com
Subject: MSIE vulnerability exploitable with Eudora (was: IncrediMail)
User-Agent: Mutt/1.3.28i

On Fri, Mar 15, 2002 at 06:33:21PM +0100, Eric Detoisien wrote:

Hi,

      A Microsoft Internet Explorer vulnerability was found by GreyMagic
(http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's
possible to gain a remote access on a computer.

      Incredimail save automatically email attachements in this directory 
(on Windows 2000 Professionnal) :
C:\Program Files\IncrediMail\Data\Identities\{42D00B20-479C-11d4-9706-00105A40931C}\Message Store\Attachments



Affects: Most (All?) Eudora-versions on MS/Windows.

This would make most versions of Eudora equally vulnerable.
Eudora (all versions I know of) automatically decodes attachments and stores them in the attachment
directory of Eudora. (This may vary between versions and platform, but is
pretty much easy to guess and with this greymagic-exploit-test:

        <http://x42.com/test/calc.jpg>

(Fires off the windows calculator, but could easily be modified to exploit
an auto-decoded attachment instead)

To exploit this one could send the attachment in an e-mail and include a
link to a page which servers such an exploiting image/etc. _OR_ if Eudora
uses embedded IE for html-mail, then the exploit would be executed when the
mail is html-rendered.

As Eudora is more wide-spread this may be the worst exploit to a non-MS
mail client that we have seen so far.

It is not a bug of Eudora per se, but Eudora acts as a perfect
trojan-injector which makes it very dangerous.

Blocking or renaming executables on MTA-level will of course be a
reasonable counter-measure for this problem.

/magnus

-- 
http://x42.com/

----- End forwarded message -----
Previous By Date Next
Previous By Thread Next

Current thread: