MSIE vulnerability exploitable with Eudora (was: IncrediMail)
Date: Sat, 16 Mar 2002 17:23:16 +0100
From: Magnus Bodin <magnus@bodin.org>
To: Eric Detoisien <eric.detoisien@global-secure.fr>
Subject: MSIE vulnerability exploitable with Eudora (was: IncrediMail)
Cc: support@incredimail.com, bugtraq@securityfocus.com, bugs@eudora.com,
eudora-bugs@qualcomm.com
On Fri, Mar 15, 2002 at 06:33:21PM +0100, Eric Detoisien wrote:
> Hi,
>
> A Microsoft Internet Explorer vulnerability was found by GreyMagic
> (http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's
> possible to gain a remote access on a computer.
>
> Incredimail save automatically email attachements in this directory
> (on Windows 2000 Professionnal) :
> C:\Program Files\IncrediMail\Data\Identities\{42D00B20-479C-11d4-9706-00105A40931C}\Message Store\Attachments
Affects: Most (All?) Eudora-versions on MS/Windows.
This would make most versions of Eudora equally vulnerable.
Eudora (all versions I know of) automatically decodes attachments and stores them in the attachment
directory of Eudora. (This may vary between versions and platform, but is
pretty much easy to guess and with this greymagic-exploit-test:
<http://x42.com/test/calc.jpg>
(Fires off the windows calculator, but could easily be modified to exploit
an auto-decoded attachment instead)
To exploit this one could send the attachment in an e-mail and include a
link to a page which servers such an exploiting image/etc. _OR_ if Eudora
uses embedded IE for html-mail, then the exploit would be executed when the
mail is html-rendered.
As Eudora is more wide-spread this may be the worst exploit to a non-MS
mail client that we have seen so far.
It is not a bug of Eudora per se, but Eudora acts as a perfect
trojan-injector which makes it very dangerous.
Blocking or renaming executables on MTA-level will of course be a
reasonable counter-measure for this problem.
/magnus
--
http://x42.com/
