Home page logo

fulldisclosure logo Full Disclosure mailing list archives

From: full-disclosure () lists netsys com (http-equiv () excite com)
Date: Wed, 24 Jul 2002 12:49:11 -0000

Tuesday, July 23, 2002

Trivial silent delivery and installation of an executable on a target 
computer. This  can be accomplished with the default installation of 
the mail client Eudora  5.1.1: 

'allow executables in HTML content' DISABLED 
'use Microsoft viewer' ENABLED 

The manufacturer http://www.eudora.com has done a tremendous job of 
shutting down all possibilities of scripting and all other 
necessaries to achieve the following result.  See: 


In the instance of BID4343 under the original discussions of 
GreyMagic Software's findings:

url: http://online.securityfocus.com/archive/1/263658

we found at the time, utilising our old friend the very simple HTTP-
EQUIV meta tag known as refresh remained ungoverned by the security 
settings of Eudora, that is being fully functional with 'allow 
executables in HTML content' disabled. At that time the meta refresh 
would open whatever files it was pointed at, inside the Microsoft 
Viewer of Eudora [inside the email message itself].

Today we find that while our old friend the very simple HTTP-EQUIV 
meta tag known as refresh still remains ungoverned by the security 
settings of Eudora, it forces open a new browser window instead. 
Furthermore this new window does not appear to accept 'url' protocols 
like about: , javascript: etc.

Sounds good. 

In addition to these extra ordinary measures, hardened security 
warnings are incorporated as well for seemingly innocent files like 

[screen shot: http://www.malware.com/boopra.png 54KB]

Sounds even better.

File types  appear to open with whatever association has been 
assigned to them e.g. *.txt will open with notepad, *.gif with 
whatever. All through the meta refresh tag:


is that the manufacturer left out an important file type to consider: 
the *.mhtml file. This is automatically opened by Internet Explorer 
via the meta refresh without any warning whatsoever i.e. the same 
warning given to *.html.

So What:

So all we have to do is embedded in our mail message [again!] two 

i) malware.mhtml which contains our active x control
ii) malware.exe which is our friendly executable

In the mail message we reference our malware.mhtml with the meta 
refresh tag and point it to our known location on default install of 
Eudora on win98.

So once [again!] someone receives the mail message. Both files 
embedded are silently and instantly transferred to the embedded 
folder. The meta refresh then springs open the *.mhtml file inside 
the embedded folder without warning, in our conveniently opened new 
browser window courtesy of the meta refresh and bang ! it runs the 
*.exe via the active x control.

Working Example:

Harmless *.exe. incorporated. Tested on win98, with IE6.00 (all of 
its patches and so-called service packs), default Eudora 5.1.1 with:

'use Microsoft viewer'  ENABLED 
'allow executables in HTML content' DISABLED. 

The following is in plaintext. We are unable to figure out how to 
import a single message into Eudora's inbox. Perhaps some bright 
spark knows. Otherwise, incorporate the text sample into a telnet 
session or other and  fire off to your Eudora inbox: 


Notes: disable 'use Microsoft viewer' 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]