[Esa-l] Exploit using Eudora and the Guninski hole (fwd)

John D. Hardin jhardin at wolfenet.com
Thu Sep 21 19:45:21 PDT 2000 

Attachments removed. See the bugtraq archives if you really want them.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   38 days until Daylight Savings Time ends

---------- Forwarded message ----------
Date: Tue, 19 Sep 2000 15:47:03 -0400
From: Louis-Eric Simard <Louis-Eric at SIMARD.COM>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: Exploit using Eudora and the Guninski hole



SIMARD SECURITY ADVISORY 20000919.1
by Louis-Eric Simard, Security Consultant (Louis-Eric at Simard.com)


   RELEASE DATE
   September 19th 2000

   TESTED SYSTEMS
   Windows 2000 [5.00.2195] running Eudora 4.3.2. Later versions of Eudora
have not been tested.

   SYNOPSIS
   A malicious intruder can easily take control of a Windows environment by
simply sending one or more e-mails containing attachments conforming to
   the description set in the Georgi Guninski security advisory #21 if the
receiver is using Eudora as a mail client.

   PROBLEM DESCRIPTION
   Eudora saves all attachments in a single directory upon receiving the
mail; a mail message need not be open for its attachment to be decoded
   and saved in that common directory. An intruder need only send an e-mail
with a trojaned DLL as described in the Guninski advisory, along with
   or followed by an e-mail containing a Word document.

   DEMONSTRATION
   A dummy RICHED20.DLL file is attached here. To test the security hole,
simply mail this file along with the supplied (or any) Word file, then
   click on the Word file. After a few seconds, a message box titled
"Gotcha" will appear, indicating "Fake RICHED20.DLL loaded."

   ACKNOWLEDGEMENTS
   Gergi Guninski for pointing out this issue in the first place.

   COMMENTS
   Please send suggestions, updates and comments to Louis-Eric at Simard.com.

   DISCLAIMER
   Louis-Eric Simard and The Freedom Factory, Inc. are not responsible for
the misuse of any of the information they provide through their security
   advisories. Our advisories are a service to the information security
community intended to promote safe computing practices and warn users of
   possible security breaches. The information within this document may
change without notice. Use of this information constitutes acceptance for
   use in an AS IS condition. There are NO warranties with regard to this
information. In no event shall the author(s) be liable for any consequences
   whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information lays within the user's
   responsibility.

   COPYRIGHT
   This advisory and acocmpanying document(s), if any, are the property of
The Freedom Factory, Inc. All rights reserved.

More information about the esd-l mailing list