Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: eudora~1.htm

Eudora 5.1 execute arbitrary code



Vulnerability

    Eudora

Affected

    Eudora 5.1

Description

    'http-equiv' found  following.   Silent delivery  and installation
    of an executable on a  target computer.  This can  be accomplished
    with the default installation of the mail client Eudora 5.1:

        - 'allow executables in HTML content' DISABLED
        - 'use Microsoft viewer' ENABLED

    The  manufacturer  done  a  tremendous  job  of  shutting down all
    possibilities of  scripting and  all other  necessaries to achieve
    the following  result.   However there  still remains  a number of
    good possibilities.   One of which  is the following  that we find
    to be quite interesting.

    Using the POWAH! of Internet Explorer, we create yet another  HTML
    mail message as follows:

        <FORM action="cid:master.malware.com" method=post target=new><button type=submit style="width:130pt;height:20pt;cursor:hand;background-color:transparent;border:0pt"><font color=#0000ff><u>http://www.malware.com</u></font></button> </FORM>
        <img SRC="cid:master.malware.com" height=1 width=1><img SRC="cid:http://www.malware.com" height=1 width=1>

    Where  our  first  image  is  our  executable.   Our  second image
    comprises  a  simple  JavaScripting  and  ActiveX  control.   What
    happens is, once the mail message is opened in Eudora 5.1, the two
    'embedded' images  are silently  and instantly  transferred to the
    'Embedded' folder.

    What we then do is create a simple html form and button.  Owing to
    the POWAH! of Internet Explorer, we are able to create this button
    with  a  transparent  background.   In  addition,  we  are able to
    dispose of  the border  of this  button, which  combined with  the
    transparent background gives us nothing.  That is, we have a fully
    functional form and button but we are not able to see it.  We then
    create a fake link and incorporate that into our invisible button.
    We then embed  our simple JavaScripting  and ActiveX control  into
    our invisible button and fire it off to our target computer:

        - before click (screen shot: http://www.malware.com/heydora.jpg 62KB)
        - after click  (screen shot: http://www.malware.com/hey!dora.jpg 62KB)

    The recipient is  then lulled into  clicking on the  "link".  What
    that  does   is  pull   our  html   file  comprising   our  simple
    JavaScripting and ActiveX control  out of the embedded  folder and
    into a new Internet Explorer Window.

    Because our *.exe and our simple JavaScripting and ActiveX control
    reside in the same  folder [the so-called "Embedded'  folder], and
    because it is  automatically opened in  our new Internet  Explorer
    Window, everything is instant.

    No warnings.  No nothing.  The *.exe is executed instantly.

    Working Example.  Harmless *.exe. incorporated.  Tested on  win98,
    with  IE5.5  (all  of  its  patches  and so-called service packs),
    default Eudora 5.1 with 'use Microsoft viewer'  ENABLED and 'allow
    executables in HTML content' DISABLED.

    The following is in  plaintext.  We are  unable to figure out  how
    to import  a single  message into  Eudora's inbox.   Perhaps  some
    bright spark knows.   Otherwise, incorporate the text  sample into
    a telnet session or other and fire off to your Eudora inbox:

        http://www.malware.com/hey!DORA.txt

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH