Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Exploit using Eudora and the Guninski hole
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Wed, 20 Sep 2000 14:35:39 +0800

At 03:47 PM 19-09-2000 -0400, Louis-Eric Simard wrote:
  Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora
have not been tested.

  Eudora saves all attachments in a single directory upon receiving the
mail; a mail message need not be open for its attachment to be decoded
  and saved in that common directory. An intruder need only send an e-mail
with a trojaned DLL as described in the Guninski advisory, along with
  or followed by an e-mail containing a Word document.

  A dummy RICHED20.DLL file is attached here. To test the security hole,
simply mail this file along with the supplied (or any) Word file, then
  click on the Word file. After a few seconds, a message box titled
"Gotcha" will appear, indicating "Fake RICHED20.DLL loaded."

Earlier versions of Eudora (1.x - 3.x) should thus be vulnerable as well
since it's common for users to have a single attachment directory.

It's not even necessary to send a word document. Once the dll is there, if
the user opens OTHER suitable documents in the same directory, the trojan
dll will be loaded.

This is what makes it more dangerous.

Being subscribed to Bugtraq is getting rather more hazardous, I sure hope
Mr Simard's dll is harmless :). Fortunately my Bugtraq attachment directory
is different from my office attachment directory.

But in the future we could see something like "binary chemical weapons"
where non or sublethal payloads combine to create a lethal payload.

This can make detection harder, as the various payloads could come from
different sources. And the trigger could be from an innocent party.

We probably can't use the "binary" term in this field as it would be
confusing and redundant. "Beware of binary dlls" yeah right ;).

I am sure there are other cases where things are dumped into the same
directory. The windows temp directory comes to mind.

Maybe one could be tricked into storing the dll in suitable areas- by
setting the MIME content type at the webserver, you should in theory be
able to tell the browser it's an image, audio, or even word document. But
once it's downloaded it will be treated as a dll due to the extension.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]