RE: MSIE vulnerability exploitable with IncrediMail

From: Thor Larholm (Thorat_private)
Date: Fri Mar 15 2002 - 15:16:53 PST

Next message: Magnus Bodin: "MSIE vulnerability exploitable with Eudora (was: IncrediMail)"

Previous message: Ahmet Sabri ALPER: "[ARL02-A09] Board-TNK Cross Site Scripting Vulnerability"
Maybe in reply to: Eric Detoisien: "MSIE vulnerability exploitable with IncrediMail"
Next in thread: Magnus Bodin: "MSIE vulnerability exploitable with Eudora (was: IncrediMail)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just downloaded and installed Eudora 5.1 from the vendors site and tested.

Eudora does indeed store any attachments in its "attach" directory, which in
my case was "C:\Program Files\Qualcomm\Eudora\attach". This happened at the
moment of arrival, before I even opened the email.

However, Eudora is not directly subject to this exploit - all <OBJECT> and
<SCRIPT> tags are automatically filtered out before rendering the HTML
email. Furthermore, the default install of Eudora seems to run with any
scripting disabled in its HTML rendering.

So far this is very promising and a nice touch by Qualcomm, and does indeed
eliminate the possibility of an automated attach-and-run virus. Even when
embedding an automated refresh in the HTML that forces the preview pane to a
new page ( e.g. <META
HTTP-EQUIV="Refresh" CONTENT="1;URL=http://your.tld/evil.html"> ), Eudora
will not execute any scripting or ActiveX in "evil.html".

Still, all you need to do from here is a bit of social engineering ("Free
porn that way! -->") to convince the user that he must click on the link to
your site (containing the exploit code). When the user clicks a link in
Eudora, it's opened in his browser instead of inside the preview pane, and
the exploit code can then run automatically.



Regards
Thor Larholm
Jubii A/S - Internet Programmer

-----Original Message-----
From: RT [mailto:roelofat_private]
Sent: 16. marts 2002 01:59
To: Thor Larholm
Cc: 'Eric Detoisien'; bugtraqat_private
Subject: RE: MSIE vulnerability exploitable with IncrediMail


Immm...

Eudora Mail .. automatically saves attachments in <drive>:\program
files\qualcomm\eudora\attachments .. right?

The (very old) version (4.1) that I have sure does that. And even if you
delete
the email itself (after opening), or right click on the file and selecting
delete -
the file stays.

So, you just need to get the file in there and have the user visit a
corrupted
web .. and hey.. presto!

Just my 2c on this,
Roelof.

On Fri, 15 Mar 2002, Thor Larholm wrote:

+Isn't {42D00B20-479C-11d4-9706-00105A40931C} a GUID for your user account,
+and as such unknown from time to time, making the proposed exploit
+unfeasable ?
+
+
+Regards
+Thor Larholm
+Jubii A/S - Internet Programmer
+
+

------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelofat_private            +27 83 448 6996
http://www.sensepost.com        http://www.hackrack.com

Next message: Magnus Bodin: "MSIE vulnerability exploitable with Eudora (was: IncrediMail)"
Previous message: Ahmet Sabri ALPER: "[ARL02-A09] Board-TNK Cross Site Scripting Vulnerability"
Maybe in reply to: Eric Detoisien: "MSIE vulnerability exploitable with IncrediMail"
Next in thread: Magnus Bodin: "MSIE vulnerability exploitable with Eudora (was: IncrediMail)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 18:28:09 PST