Re: Exploit using Eudora and the Guninski hole

[David LeBlanc <dleblanc () MINDSPRING COM>]

At 03:47 PM 9/19/00 -0400, Louis-Eric Simard wrote:

>   SYNOPSIS
>   A malicious intruder can easily take control of a Windows environment by
> simply sending one or more e-mails containing attachments conforming to
>   the description set in the Georgi Guninski security advisory #21 if the
> receiver is using Eudora as a mail client.

However, there are a few work-arounds.  The first is to simply place a real
copy of this DLL in that directory - any new ones will get incremented
names, and Word won't pick them up.

The second is to properly ACL this directory.  The way to do this is to
open Explorer, right click on the eudora\attach directory, choose
Properties, Security. Bring up the permissions dialogs, and for each listed
group that has access, choose Special File Access from the drop-down.
Uncheck the Execute box in the dialog that pops up. Do not remove execute
permissions at the directory level, as it causes problems (and is only
needed for listing the directory). Make sure that the 'Replace Permissions
on Existing Files' is checked. This method also keeps anyone else who might
be using the machine from running executable content delivered by mail
without copying the file somewhere.  Note that moving a file out of this
directory will take its permissions with it, but copying it will get the
permissions from the new directory. This solution will also prevent any
future attacks based on the same method. I have tested this, and it works.
The exact steps listed above are for NT 4.0, and will vary slightly on
Win2k due to ACL editor UI changes. This should also be possible with
xcacls (Resource Kit util) so that it could be scripted, but I haven't
sorted out the exact arguments at the moment.

I also think it might have been polite to have placed a _link_ to the test
DLL rather than delivering it directly. You've actually attacked anyone
running Eudora, which is a little rude. If I hadn't had Word already
running this morning, this could have caused some annoyance when I went to
edit a document. Also, anyone wanting to test this who is using Outlook
with the extra security settings wouldn't have seen the DLL.

BTW, a third work-around is to simply open Word in some other way, and then
click on the document - the DLL is then already loaded and won't load again.

In general, it is best to remove execute permissions for files contained in
any directories where e-mail or your browser might place downloaded or
temporary content. This preventative measure defeats a variety of attacks,
both via e-mail and browser.


David LeBlanc
dleblanc () mindspring com