[16854] in bugtraq
Re: Exploit using Eudora and the Guninski hole
daemon@ATHENA.MIT.EDU (Nick FitzGerald)
Thu Sep 21 13:11:41 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <200009201658.EAA26976@fep4-orange.clear.net.nz>
Date: Thu, 21 Sep 2000 04:53:28 +1200
Reply-To: nick@virus-l.demon.co.uk
From: Nick FitzGerald <nick@VIRUS-L.DEMON.CO.UK>
X-To: Louis-Eric Simard <Louis-Eric@SIMARD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.3.2.7.0.20000919154657.02cbd9f8@getmail.simard.com>
> SIMARD SECURITY ADVISORY 20000919.1
> by Louis-Eric Simard, Security Consultant (Louis-Eric@Simard.com)
<<snip>>
> TESTED SYSTEMS
> Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora
> have not been tested.
...but most older ones (going *way* back to erly Win16
implementations) are also vulnerable.
> SYNOPSIS
> A malicious intruder can easily take control of a Windows environment by
> simply sending one or more e-mails containing attachments conforming to
> the description set in the Georgi Guninski security advisory #21 if the
> receiver is using Eudora as a mail client.
>
> PROBLEM DESCRIPTION
> Eudora saves all attachments in a single directory upon receiving the
> mail; a mail message need not be open for its attachment to be decoded
> and saved in that common directory. An intruder need only send an e-mail
> with a trojaned DLL as described in the Guninski advisory, along with
> or followed by an e-mail containing a Word document.
Always hated that option. I couldn't see why anyone with a hint of a
clue about security would like it. Was dumb-founded it was ever made
the default...
> DEMONSTRATION
<<snip>>
> ACKNOWLEDGEMENTS
<<snip>>
> COMMENTS
<<snip>>
> DISCLAIMER
<<snip>>
The advisory would have been better had you mentioned that although
this is the *default* behaviour of Eudora, it is configurable and can
be easily disabled. There have been other exploits based on the
utter predicability of this behaviour -- anyone still running Eudora
with this option enabled needs their head read.
Regards,
Nick FitzGerald
