[16846] in bugtraq
Re: Exploit using Eudora and the Guninski hole
daemon@ATHENA.MIT.EDU (Lincoln Yeoh)
Wed Sep 20 13:23:46 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.5.32.20000920143539.0083f370@popgw.mecomb.po.my>
Date: Wed, 20 Sep 2000 14:35:39 +0800
Reply-To: Lincoln Yeoh <lyeoh@POP.JARING.MY>
From: Lincoln Yeoh <lyeoh@POP.JARING.MY>
X-To: Louis-Eric Simard <Louis-Eric@SIMARD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.3.2.7.0.20000919154657.02cbd9f8@getmail.simard.com>
At 03:47 PM 19-09-2000 -0400, Louis-Eric Simard wrote:
> TESTED SYSTEMS
> Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora
>have not been tested.
>
> PROBLEM DESCRIPTION
> Eudora saves all attachments in a single directory upon receiving the
>mail; a mail message need not be open for its attachment to be decoded
> and saved in that common directory. An intruder need only send an e-mail
>with a trojaned DLL as described in the Guninski advisory, along with
> or followed by an e-mail containing a Word document.
> DEMONSTRATION
> A dummy RICHED20.DLL file is attached here. To test the security hole,
>simply mail this file along with the supplied (or any) Word file, then
> click on the Word file. After a few seconds, a message box titled
>"Gotcha" will appear, indicating "Fake RICHED20.DLL loaded."
Earlier versions of Eudora (1.x - 3.x) should thus be vulnerable as well
since it's common for users to have a single attachment directory.
It's not even necessary to send a word document. Once the dll is there, if
the user opens OTHER suitable documents in the same directory, the trojan
dll will be loaded.
This is what makes it more dangerous.
Being subscribed to Bugtraq is getting rather more hazardous, I sure hope
Mr Simard's dll is harmless :). Fortunately my Bugtraq attachment directory
is different from my office attachment directory.
But in the future we could see something like "binary chemical weapons"
where non or sublethal payloads combine to create a lethal payload.
This can make detection harder, as the various payloads could come from
different sources. And the trigger could be from an innocent party.
We probably can't use the "binary" term in this field as it would be
confusing and redundant. "Beware of binary dlls" yeah right ;).
I am sure there are other cases where things are dumped into the same
directory. The windows temp directory comes to mind.
Maybe one could be tricked into storing the dll in suitable areas- by
setting the MIME content type at the webserver, you should in theory be
able to tell the browser it's an image, audio, or even word document. But
once it's downloaded it will be treated as a dll due to the extension.
Cheerio,
Link.
