SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Eudora Vendors:   Qualcomm
(More Exploit Methods Described) Re: Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software
SecurityTracker Alert ID:  1001657
SecurityTracker URL:  http://securitytracker.com/id/1001657
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 1 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 5.02 Sponsored Mode
Description:   A vulnerability has been reported in Qualcomm's Eudora e-mail client that allows malicious trojan code to be installed and executed automatically and without warning by an unwitting recipient when the e-mail is read.

The author of the original report has supplied additional methods of performing silent delivery and installation of an executable on a target computer using the default installation of the mail client Eudora 5.1. Read the Source Message for details.

Impact:   An unsuspectig Eudora e-mail client user may inadvertently cause malicious trojan software to be installed and executed by reading a malicious e-mail message.
Solution:   No solution was available at the time of this entry. The author of the report suggests disabling "use Microsoft viewer" and "allow executables in HTML content."
Vendor URL:  www.eudora.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Apple (Legacy "classic" Mac), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 19 2001 Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software



 Source Message Contents

Subject:  feeble.hey!dora.exploit part.II


Monday, May 28, 2001 

Silent delivery and installation of an executable on a target computer. This
can be accomplished with the default installation of the mail client Eudora
5.1:

'allow executables in HTML content' DISABLED
'use Microsoft viewer' ENABLED

The manufacturer http://www.eudora.com has done a tremendous job of shutting
down all possibilities of scripting and all other necessaries to achieve the
following result.  See:

http://www.securityfocus.com/bid/2490

However there still remains a number of good possibilities. One of which is
the following that we find to be quite interesting.

1. Using the POWAH! of Internet Explorer, we create yet another HTML mail
message as follows: 

<FORM action="cid:master.malware.com" method=post target=new><button 
type=submit
style="width:130pt;height:20pt;cursor:hand;background-color:transparent;border:0pt"><font
 color=#0000ff><u>http://www.malware.com</u></font></button> </FORM>
<img SRC="cid:master.malware.com" height=1 width=1><img
SRC="cid:http://www.malware.com" height=1 width=1>

Where our first image is our executable. Our second image comprises a simple
JavaScripting and ActiveX control. 

What happens is, once the mail message is opened in Eudora 5.1, the two
'embedded' images are silently and instantly transferred to the 'Embedded'
folder.  

What we then do is create a simple html form and button. Owing to the POWAH!
of Internet Explorer, we are able to create this button with a transparent
background. In addition, we are able to dispose of the border of this
button, which combined with the transparent background gives us nothing.
That is, we have a fully functional form and button but we are not able to
see it.  We then create a fake link and incorporate that into our invisible
button. We then embed our simple JavaScripting and ActiveX control into our
invisible button and fire it off to our target computer:

before click

(screen shot: http://www.malware.com/heydora.jpg 62KB)

after click:

(screen shot: http://www.malware.com/hey!dora.jpg 62KB)


The recipient is then lulled into clicking on the "link". What that does is
pull our html file comprising our simple JavaScripting and ActiveX control
out of the embedded folder and into a new Internet Explorer Window. 

Because our *.exe and our simple JavaScripting and ActiveX control reside in
the same folder [the so-called "Embedded' folder], and because it is
automatically opened in our new Internet Explorer Window, everything is
instant.

No warnings. No nothing.

The *.exe is executed instantly. 

2. Working Example. Harmless *.exe. incorporated. Tested on win98, with
IE5.5 (all of its patches and so-called service packs), default Eudora 5.1
with 'use Microsoft viewer'  ENABLED and 'allow executables in HTML content'
DISABLED.

The following is in plaintext. We are unable to figure out how to import a 
single message into Eudora's inbox. Perhaps some bright spark knows.
Otherwise, incorporate the text sample into a telnet session or other and
fire off to your Eudora inbox: 

http://www.malware.com/hey!DORA.txt 


Notes: disable 'use Microsoft viewer' 


---
http://www.malware.com











_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC