Bugtraq mailing list archives
Exploit using Eudora and the Guninski hole
From: Louis-Eric Simard <Louis-Eric () SIMARD COM>
Date: Tue, 19 Sep 2000 15:47:03 -0400
SIMARD SECURITY ADVISORY 20000919.1 by Louis-Eric Simard, Security Consultant (Louis-Eric () Simard com) RELEASE DATE September 19th 2000 TESTED SYSTEMS Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora have not been tested. SYNOPSIS A malicious intruder can easily take control of a Windows environment by simply sending one or more e-mails containing attachments conforming to the description set in the Georgi Guninski security advisory #21 if the receiver is using Eudora as a mail client. PROBLEM DESCRIPTION Eudora saves all attachments in a single directory upon receiving the mail; a mail message need not be open for its attachment to be decoded and saved in that common directory. An intruder need only send an e-mail with a trojaned DLL as described in the Guninski advisory, along with or followed by an e-mail containing a Word document. DEMONSTRATION A dummy RICHED20.DLL file is attached here. To test the security hole, simply mail this file along with the supplied (or any) Word file, then click on the Word file. After a few seconds, a message box titled "Gotcha" will appear, indicating "Fake RICHED20.DLL loaded." ACKNOWLEDGEMENTS Gergi Guninski for pointing out this issue in the first place. COMMENTS Please send suggestions, updates and comments to Louis-Eric () Simard com. DISCLAIMER Louis-Eric Simard and The Freedom Factory, Inc. are not responsible for the misuse of any of the information they provide through their security advisories. Our advisories are a service to the information security community intended to promote safe computing practices and warn users of possible security breaches. The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author(s) be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. COPYRIGHT This advisory and acocmpanying document(s), if any, are the property of The Freedom Factory, Inc. All rights reserved.
Attachment:
Test.doc
Description:
Attachment:
RICHED20.dll
Description:
Current thread:
- Exploit using Eudora and the Guninski hole Louis-Eric Simard (Sep 19)
- Re: Exploit using Eudora and the Guninski hole Lincoln Yeoh (Sep 20)
- Re: Exploit using Eudora and the Guninski hole David LeBlanc (Sep 21)
- Re: Exploit using Eudora and the Guninski hole Signal 11 (Sep 22)
- Re: Exploit using Eudora and the Guninski hole Nick FitzGerald (Sep 21)