Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5613.htm

Qualcomm Eudora attachment spoof



9th Aug 2002 [SBWID-5613]
COMMAND

	Qualcomm Eudora attachment spoof

SYSTEMS AFFECTED

	Eudora 5.1

PROBLEM

	Paul Szabo [psz@maths.usyd.edu.au] from the school  of  Mathematics  and
	Statistics              University               of               Sydney
	[http://www.maths.usyd.edu.au:8000/u/psz/] says :
	
	A message may refer to attachments of other messages, or  to  any  other
	file. Works well: proper icon, warns "the  file  may  contain  programs"
	when run:
	
	Attachment Converted: "c:\winnt\system32\calc.exe"
	
	Seems "dot  bug"  (filename  ending  with  dot)  is  a  general  Windows
	feature.
	
	Executes without warning (icon OK):
	
	Attachment Converted: "c:\winnt\system32\calc.exe."
	
	Shows README.txt as  attachment  name,  broken  icon,  executes  without
	warning; but if you already have a README.txt then shows  its  icon  and
	"runs" that:
	
	Attachment Converted: "c:\winnt\system32\calc.exe." "\README.txt"
	
	In all cases, the true address is shown in bottom line of window.
	
	As a matter of curiosity, Eudora goes "funny" with an unquoted '>':
	
	Attachment Converted: "c:\winnt\system32\calc.exe" > "\README.txt"
	Attachment Converted: "c:\winnt\system32\calc.exe" > "README.txt"
	
	My attachment directory is  H:\Windows\.eudora\attach;  is  the  default
	setting "C:\Program Files\Qualcomm\Eudora\attach"? Can we find  out  the
	recipient's settings (http://online.securityfocus.com/bid/1653 does  not
	work with Eudora 5.1)?
	
	Suppose I send an attachment "GAME.exe", and  hope  the  recipient  does
	not already have an attachment named "GAME.text", then may  be  able  to
	entice him to click and have the exe run: say  something  like  what  an
	interesting game, and be sure to read the description  even  if  you  do
	not      want      to      play:      #      Attachment       Converted:
	"h:\windows\.eudora\attach\GAME.exe."      "\GAME.text"       Attachment
	Converted: "h:\windows\.eudora\attach\GAME.exe." "\GAME.text" Also  send
	the real attachment (should be encoded exe  to  take  over  the  world),
	e.g.
	
	begin 700 GAME.exe
	,1F]R(&9U;B!O;FQY
	`
	end
	
	
	A curiosity: Eudora is happy to act on a  message  containing  something
	like <x-eudora-option:xyz=1> (you do not even need the  leading  '>',
	am not sure about the trailing '>'). This requires user interaction,  so
	it may not be a security problem.
	
	Eudora also has an "issue" with  decodings  and  line  termination.  The
	following message loses a trailing 'r':
	
	perl -e 'print "Hello\nstranger\n"' | base64-encode
	
	Content-Type: text/plain; charset=us-ascii
	Content-Transfer-Encoding: base64
	
	SGVsbG8Kc3RyYW5nZXIK
	
	

SOLUTION

	NOthing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH