Bugtraq mailing list archives

Exploit using Eudora and the Guninski hole

From: Louis-Eric Simard <Louis-Eric () SIMARD COM>
Date: Tue, 19 Sep 2000 15:47:03 -0400



SIMARD SECURITY ADVISORY 20000919.1
by Louis-Eric Simard, Security Consultant (Louis-Eric () Simard com)


  RELEASE DATE
  September 19th 2000

  TESTED SYSTEMS
  Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora
have not been tested.

  SYNOPSIS
  A malicious intruder can easily take control of a Windows environment by
simply sending one or more e-mails containing attachments conforming to
  the description set in the Georgi Guninski security advisory #21 if the
receiver is using Eudora as a mail client.

  PROBLEM DESCRIPTION
  Eudora saves all attachments in a single directory upon receiving the
mail; a mail message need not be open for its attachment to be decoded
  and saved in that common directory. An intruder need only send an e-mail
with a trojaned DLL as described in the Guninski advisory, along with
  or followed by an e-mail containing a Word document.

  DEMONSTRATION
  A dummy RICHED20.DLL file is attached here. To test the security hole,
simply mail this file along with the supplied (or any) Word file, then
  click on the Word file. After a few seconds, a message box titled
"Gotcha" will appear, indicating "Fake RICHED20.DLL loaded."

  ACKNOWLEDGEMENTS
  Gergi Guninski for pointing out this issue in the first place.

  COMMENTS
  Please send suggestions, updates and comments to Louis-Eric () Simard com.

  DISCLAIMER
  Louis-Eric Simard and The Freedom Factory, Inc. are not responsible for
the misuse of any of the information they provide through their security
  advisories. Our advisories are a service to the information security
community intended to promote safe computing practices and warn users of
  possible security breaches. The information within this document may
change without notice. Use of this information constitutes acceptance for
  use in an AS IS condition. There are NO warranties with regard to this
information. In no event shall the author(s) be liable for any consequences
  whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information lays within the user's
  responsibility.

  COPYRIGHT
  This advisory and acocmpanying document(s), if any, are the property of
The Freedom Factory, Inc. All rights reserved.

Attachment: Test.doc
Description:

Attachment: RICHED20.dll
Description:

Current thread:

Exploit using Eudora and the Guninski hole Louis-Eric Simard (Sep 19)
- Re: Exploit using Eudora and the Guninski hole Lincoln Yeoh (Sep 20)
- Re: Exploit using Eudora and the Guninski hole David LeBlanc (Sep 21)
  - Re: Exploit using Eudora and the Guninski hole Signal 11 (Sep 22)
- Re: Exploit using Eudora and the Guninski hole Nick FitzGerald (Sep 21)