OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Mitigators for possible exploit of Eudora via Guninski #21,2000
From: Russ (Russ.CooperRC.ON.CA)
Date: Thu Sep 21 2000 - 14:12:18 CDT


Folks,

Further discussions of Guninski Security Advisory #21,2000 on Bugtraq has
brought to light at least one way the automatic launching of .dlls by Office
documents can cause a remote security exploit.

Eudora, all versions (I believe), stores attachments automatically into a
directory specified by the user (either at installation time or from command
line execution). Whenever a Eudora user POP's an email message from their
mail server, any attachments accompanying the message are automatically
stored on the user's hard disk without prompting.

Since the Guninski exploit involves having a trojan or malicious .dll in a
known location (where a subsequent Office document could call it from), this
fact in the operation of Eudora makes it particularly vulnerable to such
attack attempts.

Note, there are other ways to use the Guninski exploit that don't involve
Eudora, so it should not be construed as strictly a Eudora problem (see my
earlier message on this subject). Further, what follows is not meant to be
comprehensive, or a guaranteed method to prevent use of the exploit.
Instead, the list below constitutes things a user can do to help minimize
the window of opportunity.

In an attempt to be pro-active, the following suggestions are offered for
your consideration;

1. Filter attachments at your mail gateway, and in particular filter any
.dll attachments.

2. Eudora can have multiple copies in memory at the same time. Each can be
invoked with its own command line, which can include a unique data directory
specification. In this way, sensitive mail, say from public mailing lists
which might contain malicious code, could be retrieved into its own (more
restricted) data directory. Of course this would require multiple mail
accounts also.

3. On NT/W2K you could set permissions on the data directory to deny Execute
permissions, which should prevent a .dll from being executed from there (not
tested). Win9x does not offer similar controls.

4. The Eudora.ini file contains;

AutoReceiveAttachmentsDirectory=

which can be configured to point to a more secured location (where execute
can be denied). Might also be able to point it to a non-existent directory
to avoid attachments altogether (but this would likely cause numerous error
messages).

5. Eudora supplies a pop up warning about opening attachments. This is
controlled with the following INI entry;

WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|

Obviously extensions for Office documents can be included here, and while
this won't prevent the calling of the .dll from the Office doc, it should be
configured to prevent the Office doc itself from being launched. See;

http://www.officeupdate.com/2000/articles/Out2ksecFAQ.htm

for a recommended list of extensions to warn on.

6. Keep tabs on what's in your attachments directory by viewing it
regularly. While this may not prevent an exploit, getting into this habit
may help to minimize the potential for exploitation by a two-step injection
(one message drops the .dll, another calls it).

7. Load Microsoft Word (if you use it) in your Startup Group. This is a
short-term solution and not likely going to prevent many future attacks,
however doing so will load the requisite .dlls and place them in memory from
known locations (determined by Word rather than by a Word document).

Compiled with the assistance of ICSA.net folks...

David LeBlanc also added another good mitigator. Place a copy of the various
.dlls into your Eudora attachment data directory. As an interim, place
RICHED20.DLL and MSI.DLL. Remember, however, that these files will not be
updated should they be modified by some future service pack or hotfix (or
new application).

Again, try any or all of the above as you're able.

Cheers,
Russ

----------------------------------------------------------------------------
Delivery co-sponsored by eEye Digital Security
============================================================================
Vulnerability Is Over ... eEye Digital Security Announces Retina(tm)

Retina, the unparalleled network security product that scans, monitors,
alerts, and automatically fixes network security vulnerabilities. Retina
includes an auto-update feature providing continuous update of its modules,
allowing users to keep pace with the latest security vulnerabilities.
Retina, the first network security software that works like an
around-the-clock human network security analyst. Available for download;
<http://www.eeye.com/click.asp?referrer=ntbugtraq1&P;=retina>
----------------------------------------------------------------------------