Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: eudstlth.txt

How the Eudora Stealth Attachment, which bypasses the warning from Eudora about running attachments, works




How the "Stealth Attachment" trick works

bennett@peacefire.org

Exploit:
Grants a remote user the ability to run arbitrary code on your computer by
sending you an email message containing an http:// link, if you read the
message using Eudora mail and click on the link.

Requirements:

  1. The remote user must know that you are using Eudora. If you have ever
     sent them mail, they will have this information since messages sent
     with Eudora include an X-Mailer header like:
     X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
  2. The remote user must know the full path to the directory where your
     attachments are extracted to. This is easy to guess since it is
     usually either:
     C:\Eudora\Attach\
     for version 3.x, or
     C:\Program Files\Qualcomm\Eudora Pro\Attach\
     for Eudora Pro version 4.x, or
     C:\Program Files\Qualcomm\Eudora\Attach\
     for Eudora 4.3 or later. (Beginning with version 4.3, Eudora Light and
     Eudora Pro were merged into one version; Eudora 4.3 can operate either
     in "free mode" and display advertisements, or in "paid mode" without
     the ads if you pay a registration fee.) Because the remote user can
     see the version number as part of the X-Mailer header, it is possible
     to guess where the attachments directory is likely to be located.

How it works

The key vulnerability in Eudora is that it does not warn you if you click
on a link pointing to a .lnk file. (This is the file extension for Windows
shortcut files -- normally this extension is not visible in Windows
Explorer, even if you have Windows Explorer set to "display file extensions
for known file types".) Eudora already warns you if you click on a link to
a file with the extension .exe, .com, or .bat. -- but it does not warn you
about .lnk files. So a simple way of exploiting this would be to send the
user two attachments:

   * an .exe file, e.g. "spy.exe"
   * a .lnk file, e.g. "spy.lnk", that pointed to
     C:\Eudora\Attach\spy.exe
     (this is the reason why you need to know the directory where the
     recipient's attachments are extracted to)

By itself, this trick would not be very useful. A naive user might click on
an attached .lnk file, and Eudora wouldn't warn them -- but a more
experienced user would probably realize that there was something suspicious
about a .lnk file sent to them by email.

For the trick be more effective, the user should think that they are
clicking on a link in a Eudora mail message. When a message containing an
http:// URL is displayed in Eudora, the URL is automatically made into a
hyperlink, so that you can click on the URL and it will load into your
default browser:

http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/

If the recipient is using Eudora, though, you can send them an HTML email
message formatted so that the link looks like it points one place, but
really points somewhere else. The following HTML:

<a href="file:///c:/eudora/attach/spy.lnk"
>http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/</a>

will be rendered in a Eudora email message as:

http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/

When the user views this message, it looks exactly as if someone has
emailed them a plain-text email with a link in it. (In order to look
"exactly like plain text email", of course, the message should not contain
any HTML features like fonts or styled text.) When the user clicks on the
link, the shortcut "spy.lnk" will be launched, causing the program
"spy.exe" to run. (For the user not to notice anything suspicious, the
"spy.exe" program should be invisible, and should also cause the URL
http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/
to open in the user's browser, which is what the user is expecting.)

Lastly, for the trick to be effective, the user should not see any
reference to the attachments that were sent with the message. (By default,
Eudora displays attachments in the message body with an icon and the line
"Attachment converted:".) To hide the attachment icons, insert the lines

<x-html><!--

and

--></x-html>

around the attachments in the message. This way, the user will not see any
reference to an extracted .exe or .lnk file, and the message will look
exactly like a normal plain text message containing an http:// link.

Recommended fix

QUALCOMM recommends that users edit their Eudora.ini file and add the
following line:

WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|

to their "[Settings]" section. (The default is to warn for all of these
extensions except the "lnk" one.) Note the trailing "|" on the end -- this
is necessary in order for Eudora to warn for "lnk" files, but the extra "|"
can be confusing to users who intuitively understand "|" to mean "or" -- in
which case it looks like the trailing "|" should not be necessary, but it's
required by the Eudora parser.

Qualcomm has said that the next version of Eudora will warn for .lnk files
as well by default.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH