On Fri, Mar 15, 2002 at 06:33:21PM +0100, Eric Detoisien wrote: > Hi, > > A Microsoft Internet Explorer vulnerability was found by GreyMagic > (http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's > possible to gain a remote access on a computer. > > Incredimail save automatically email attachements in this directory > (on Windows 2000 Professionnal) : > C:\Program Files\IncrediMail\Data\Identities\{42D00B20-479C-11d4-9706-00105A40931C}\Message Store\Attachments Affects: Most (All?) Eudora-versions on MS/Windows. This would make most versions of Eudora equally vulnerable. Eudora (all versions I know of) automatically decodes attachments and stores them in the attachment directory of Eudora. (This may vary between versions and platform, but is pretty much easy to guess and with this greymagic-exploit-test: <http://x42.com/test/calc.jpg> (Fires off the windows calculator, but could easily be modified to exploit an auto-decoded attachment instead) To exploit this one could send the attachment in an e-mail and include a link to a page which servers such an exploiting image/etc. _OR_ if Eudora uses embedded IE for html-mail, then the exploit would be executed when the mail is html-rendered. As Eudora is more wide-spread this may be the worst exploit to a non-MS mail client that we have seen so far. It is not a bug of Eudora per se, but Eudora acts as a perfect trojan-injector which makes it very dangerous. Blocking or renaming executables on MTA-level will of course be a reasonable counter-measure for this problem. /magnus -- http://x42.com/
