From: GP <[EMAIL PROTECTED]>
How the "Stealth Attachment" trick works
[EMAIL PROTECTED]
================================================
Exploit:
Grants a remote user the ability to run arbitrary code on your computer by
sending you an email message containing an http:// link, if you read the
message using Eudora mail and click on the link.
Requirements:
The remote user must know that you are using Eudora. If you have ever sent
them mail, they will have this information since messages sent with Eudora
include an X-Mailer header like:
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
The remote user must know the full path to the directory where your
attachments are extracted to. This is easy to guess since it is usually
either:
C:\Eudora\Attach\
for version 3.x, or
C:\Program Files\Qualcomm\Eudora Pro\Attach\
for Eudora Pro version 4.x, or
C:\Program Files\Qualcomm\Eudora\Attach\
for Eudora 4.3 or later. (Beginning with version 4.3, Eudora Light and
Eudora Pro were merged into one version; Eudora 4.3 can operate either in
"free mode" and display advertisements, or in "paid mode" without the ads
if you pay a registration fee.) Because the remote user can see the version
number as part of the X-Mailer header, it is possible to guess where the
attachments directory is likely to be located.
How it works
The key vulnerability in Eudora is that it does not warn you if you click
on a link pointing to a .lnk file. (This is the file extension for Windows
shortcut files -- normally this extension is not visible in Windows
Explorer, even if you have Windows Explorer set to "display file extensions
for known file types".) Eudora already warns you if you click on a link to
a file with the extension .exe, .com, or .bat. -- but it does not warn you
about .lnk files. So a simple way of exploiting this would be to send the
user two attachments:
� an .exe file, e.g. "spy.exe"
� a .lnk file, e.g. "spy.lnk", that pointed to
C:\Eudora\Attach\spy.exe
(this is the reason why you need to know the directory where the
recipient's attachments are extracted to)
By itself, this trick would not be very useful. A naive user might click on
an attached .lnk file, and Eudora wouldn't warn them -- but a more
experienced user would probably realize that there was something suspicious
about a .lnk file sent to them by email.
For the trick be more effective, the user should think that they are
clicking on a link in a Eudora mail message. When a message containing an
http:// URL is displayed in Eudora, the URL is automatically made into a
hyperlink, so that you can click on the URL and it will load into your
default browser:
http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/
If the recipient is using Eudora, though, you can send them an HTML email
message formatted so that the link looks like it points one place, but
really points somewhere else. The following HTML:
<a href="file:///c:/eudora/attach/spy.lnk"
>http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/</a>
will be rendered in a Eudora email message as:
http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/
When the user views this message, it looks exactly as if someone has
emailed them a plain-text email with a link in it. (In order to look
"exactly like plain text email", of course, the message should not contain
any HTML features like fonts or styled text.) When the user clicks on the
link, the shortcut "spy.lnk" will be launched, causing the program
"spy.exe" to run. (For the user not to notice anything suspicious, the
"spy.exe" program should be invisible, and should also cause the URL
http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/
to open in the user's browser, which is what the user is expecting.)
Lastly, for the trick to be effective, the user should not see any
reference to the attachments that were sent with the message. (By default,
Eudora displays attachments in the message body with an icon and the line
"Attachment converted:".) To hide the attachment icons, insert the lines
around the attachments in the message. This way, the user will not see any
reference to an extracted .exe or .lnk file, and the message will look
exactly like a normal plain text message containing an http:// link.
Recommended fix
QUALCOMM recommends that users edit their Eudora.ini file and add the
following line:
WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|
to their "[Settings]" section. (The default is to warn for all of these
extensions except the "lnk" one.) Note the trailing "|" on the end -- this
is necessary in order for Eudora to warn for "lnk" files, but the extra "|"
can be confusing to users who intuitively understand "|" to mean "or" -- in
which case it looks like the trailing "|" should not be necessary, but it's
required by the Eudora parser.
Qualcomm has said that the next version of Eudora will warn for .lnk files
as well by default.
--
Garind P
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"oc ur mobo not urself or anybody else"
--
Compu-Mania MailingList, provided by PT Centrin Utama
Unsubscribe: [EMAIL PROTECTED], body: unsubscribe Compu-Mania
Archive: http://www.mail-archive.com/[email protected]/
Info: [EMAIL PROTECTED], body: help
