SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Client)  >   Eudora Vendors:   Qualcomm
Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software
SecurityTracker Alert ID:  1001117
SecurityTracker URL:  http://securitytracker.com/id/1001117
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 19 2001
Impact:   Execution of arbitrary code via network

Version(s): 5.02 Sponsored Mode
Description:   A vulnerability has been reported in Qualcomm's Eudora e-mail client that allows malicious trojan code to be installed and executed automatically and without warning by an unwitting recipient when the e-mail is read.

By opening an email using Eudora 5.02 Sponsored Mode with "use Microsoft viewer" and "allow executables in HTML content" enabled, malicious code contained in the e-mail will be silently installed without warning. The exploit, which is described in the original source message, uses "embedded" images where one image is an executable file and the other is a JavaScript and ActiveX control.

No action on part of the client is necessary, other than simply opening the email.

Some demonstration exploit steps are provided in the original source message.
Impact:   An unsuspectig Eudora e-mail client user may inadvertently cause malicious trojan software to be installed and executed by reading a malicious e-mail message.
Solution:   No solution was available at the time of this entry. The author of the report suggests disabling "use Microsoft viewer" and "allow executables in HTML content."
Vendor URL:  www.eudora.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   MacOS, Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software   (Jeff Beckley <beckley@QUALCOMM.COM>)
The vendor notes that the "Allow executables in HTML content" configuration setting is turned off by default and that the online help and user manual mention that the setting should remain off for security reasons.
Re: Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software   ("http-equiv@excite.com" <http-equiv@excite.com>)
This is a follow-up message that provides additional exploit and mitigation details.
(Contains Additional Exploit Code) Re: Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software   ("http-equiv@excite.com" <http-equiv@excite.com>)
Some demonstration exploit code is provided that is effective even if the "Allow executables in HTML content" setting is disabled.
Re: Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software   (Jeff Beckley <beckley@QUALCOMM.COM>)
The vendor indicates that this inline scripting vulnerability has been fixed in Eudora 5.1.
(More Exploit Methods Described) Re: Eudora E-mail Client May Silently Install and Execute Malicious Trojan Software   ("http-equiv@excite.com" <http-equiv@excite.com>)
The author of the original report has supplied additional exploit scenarios.


 Source Message Contents
Date:  Sun, 18 Mar 2001 01:38:46 -0800
Subject:  feeble.you!dora.exploit


Sunday, March 18, 2001


Silent delivery and installation of an executable on a target computer. No
client input other than opening an email using Eudora 5.02 - Sponsored Mode
provided 'use Microsoft viewer' and 'allow executables in HTML content' are
enabled.

One wonders why they are there in the first place.

This can be achieved with relative ease as follows:

1. Create yet another HTML mail message as follows:

<img SRC="cid:mr.malware.to.you" style="display:none">
<img id=W0W src="cid:malware.com"   style="display:none">
<center><h6>YOU!DORA</h6></center>
<IFRAME  id=malware width=10 height=10 style="display:none" ></IFRAME>

  <script>
// 18.03.01 http://www.malware.com
malware.location.href=W0W.src
</script>

Where our first image is our executable. Our second image comprises a simple
JavaScripting and ActiveX control.

What happens is, once the mail message is opened in Eudora 5.02 - Sponsored
Mode, the two 'embedded' images are silently and instantly transferred to
the 'Embedded' folder. Our very simple JavaScript location.href then
automatically calls our second image comprising the simple JavaScripting and
ActiveX control [note: knowing the file names and locations are not
necessary at all], which is then displayed out of sight in our iframe. This
inturn executes our *.exe.

Very simple. Because our *.exe and our simple JavaScripting and ActiveX
control reside in the same folder [the so-called "Embedded' folder], and
because it is automatically called to our iframe, everything is instant.

No warning, no nothing. The *.exe is executed instantly. No client input
other than opening the email.

2. Working Example. Harmless *.exe. incorporated. Tested on win98, with
IE5.5 (all of its patches and so-called service packs), Eudora 5.02 -
Sponsored Mode with 'use Microsoft viewer' and 'allow executables in HTML
content' (this refers to scripting, not literally executables).

The following is in plaintext. We are unable to figure out how to import a
single message into Eudora's inbox. Perhaps some bright spark knows.
Otherwise, incorporate the text sample into a telnet session or other and
fire off to your Eudora inbox:

http://www.malware.com/you!DORA.txt

Notes: disable 'use Microsoft viewer' and 'allow executables in HTML
content'

---
http://www.malware.com












_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC