Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: MSIE vulnerability exploitable with IncrediMail
From: Thor Larholm <Thor () jubii dk>
Date: Sat, 16 Mar 2002 00:16:53 +0100

I just downloaded and installed Eudora 5.1 from the vendors site and tested.

Eudora does indeed store any attachments in its "attach" directory, which in
my case was "C:\Program Files\Qualcomm\Eudora\attach". This happened at the
moment of arrival, before I even opened the email.

However, Eudora is not directly subject to this exploit - all <OBJECT> and
<SCRIPT> tags are automatically filtered out before rendering the HTML
email. Furthermore, the default install of Eudora seems to run with any
scripting disabled in its HTML rendering.

So far this is very promising and a nice touch by Qualcomm, and does indeed
eliminate the possibility of an automated attach-and-run virus. Even when
embedding an automated refresh in the HTML that forces the preview pane to a
new page ( e.g. <META
HTTP-EQUIV="Refresh" CONTENT="1;URL=http://your.tld/evil.html";> ), Eudora
will not execute any scripting or ActiveX in "evil.html".

Still, all you need to do from here is a bit of social engineering ("Free
porn that way! -->") to convince the user that he must click on the link to
your site (containing the exploit code). When the user clicks a link in
Eudora, it's opened in his browser instead of inside the preview pane, and
the exploit code can then run automatically.



Regards
Thor Larholm
Jubii A/S - Internet Programmer

-----Original Message-----
From: RT [mailto:roelof () sensepost com]
Sent: 16. marts 2002 01:59
To: Thor Larholm
Cc: 'Eric Detoisien'; bugtraq () securityfocus com
Subject: RE: MSIE vulnerability exploitable with IncrediMail


Immm...

Eudora Mail .. automatically saves attachments in <drive>:\program
files\qualcomm\eudora\attachments .. right?

The (very old) version (4.1) that I have sure does that. And even if you
delete
the email itself (after opening), or right click on the file and selecting
delete -
the file stays.

So, you just need to get the file in there and have the user visit a
corrupted
web .. and hey.. presto!

Just my 2c on this,
Roelof.

On Fri, 15 Mar 2002, Thor Larholm wrote:

+Isn't {42D00B20-479C-11d4-9706-00105A40931C} a GUID for your user account,
+and as such unknown from time to time, making the proposed exploit
+unfeasable ?
+
+
+Regards
+Thor Larholm
+Jubii A/S - Internet Programmer
+
+

------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof () sensepost com            +27 83 448 6996
http://www.sensepost.com        http://www.hackrack.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault