|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Exploit using Eudora and the Guninski hole
From: Lincoln Yeoh (lyeoh
POP.JARING.MY)Date: Wed Sep 20 2000 - 01:35:39 CDT
- Next message: http-equivexcite.com: "Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases"
- Previous message: Carlos Eduardo Gorges: "kvt format bug"
- In reply to: Louis-Eric Simard: "Exploit using Eudora and the Guninski hole"
- Next in thread: David LeBlanc: "Re: Exploit using Eudora and the Guninski hole"
- Reply: Lincoln Yeoh: "Re: Exploit using Eudora and the Guninski hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 03:47 PM 19-09-2000 -0400, Louis-Eric Simard wrote:
> TESTED SYSTEMS
> Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora
>have not been tested.
>
> PROBLEM DESCRIPTION
> Eudora saves all attachments in a single directory upon receiving the
>mail; a mail message need not be open for its attachment to be decoded
> and saved in that common directory. An intruder need only send an e-mail
>with a trojaned DLL as described in the Guninski advisory, along with
> or followed by an e-mail containing a Word document.
> DEMONSTRATION
> A dummy RICHED20.DLL file is attached here. To test the security hole,
>simply mail this file along with the supplied (or any) Word file, then
> click on the Word file. After a few seconds, a message box titled
>"Gotcha" will appear, indicating "Fake RICHED20.DLL loaded."
Earlier versions of Eudora (1.x - 3.x) should thus be vulnerable as well
since it's common for users to have a single attachment directory.
It's not even necessary to send a word document. Once the dll is there, if
the user opens OTHER suitable documents in the same directory, the trojan
dll will be loaded.
This is what makes it more dangerous.
Being subscribed to Bugtraq is getting rather more hazardous, I sure hope
Mr Simard's dll is harmless :). Fortunately my Bugtraq attachment directory
is different from my office attachment directory.
But in the future we could see something like "binary chemical weapons"
where non or sublethal payloads combine to create a lethal payload.
This can make detection harder, as the various payloads could come from
different sources. And the trigger could be from an innocent party.
We probably can't use the "binary" term in this field as it would be
confusing and redundant. "Beware of binary dlls" yeah right ;).
I am sure there are other cases where things are dumped into the same
directory. The windows temp directory comes to mind.
Maybe one could be tricked into storing the dll in suitable areas- by
setting the MIME content type at the webserver, you should in theory be
able to tell the browser it's an image, audio, or even word document. But
once it's downloaded it will be treated as a dll due to the extension.
Cheerio,
Link.
- Next message: http-equivexcite.com: "Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases"
- Previous message: Carlos Eduardo Gorges: "kvt format bug"
- In reply to: Louis-Eric Simard: "Exploit using Eudora and the Guninski hole"
- Next in thread: David LeBlanc: "Re: Exploit using Eudora and the Guninski hole"
- Reply: Lincoln Yeoh: "Re: Exploit using Eudora and the Guninski hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]