Tuesday, July 23, 2002 Trivial silent delivery and installation of an executable on a target computer. This can be accomplished with the default installation of the mail client Eudora 5.1.1: 'allow executables in HTML content' DISABLED 'use Microsoft viewer' ENABLED The manufacturer http://www.eudora.com has done a tremendous job of shutting down all possibilities of scripting and all other necessaries to achieve the following result. See: http://www.securityfocus.com/bid/2490 http://www.securityfocus.com/bid/2796 http://online.securityfocus.com/bid/4343 In the instance of BID4343 under the original discussions of GreyMagic Software's findings: url: http://online.securityfocus.com/archive/1/263658 we found at the time, utilising our old friend the very simple HTTP- EQUIV meta tag known as refresh remained ungoverned by the security settings of Eudora, that is being fully functional with 'allow executables in HTML content' disabled. At that time the meta refresh would open whatever files it was pointed at, inside the Microsoft Viewer of Eudora [inside the email message itself]. Today we find that while our old friend the very simple HTTP-EQUIV meta tag known as refresh still remains ungoverned by the security settings of Eudora, it forces open a new browser window instead. Furthermore this new window does not appear to accept 'url' protocols like about: , javascript: etc. Sounds good. In addition to these extra ordinary measures, hardened security warnings are incorporated as well for seemingly innocent files like *.html: [screen shot: http://www.malware.com/boopra.png 54KB] Sounds even better. File types appear to open with whatever association has been assigned to them e.g. *.txt will open with notepad, *.gif with whatever. All through the meta refresh tag: Problem: is that the manufacturer left out an important file type to consider: the *.mhtml file. This is automatically opened by Internet Explorer via the meta refresh without any warning whatsoever i.e. the same warning given to *.html. So What: So all we have to do is embedded in our mail message [again!] two files: i) malware.mhtml which contains our active x control ii) malware.exe which is our friendly executable In the mail message we reference our malware.mhtml with the meta refresh tag and point it to our known location on default install of Eudora on win98. So once [again!] someone receives the mail message. Both files embedded are silently and instantly transferred to the embedded folder. The meta refresh then springs open the *.mhtml file inside the embedded folder without warning, in our conveniently opened new browser window courtesy of the meta refresh and bang ! it runs the *.exe via the active x control. Working Example: Harmless *.exe. incorporated. Tested on win98, with IE6.00 (all of its patches and so-called service packs), default Eudora 5.1.1 with: 'use Microsoft viewer' ENABLED 'allow executables in HTML content' DISABLED. The following is in plaintext. We are unable to figure out how to import a single message into Eudora's inbox. Perhaps some bright spark knows. Otherwise, incorporate the text sample into a telnet session or other and fire off to your Eudora inbox: http://www.malware.com/boodora.txt Notes: disable 'use Microsoft viewer' -- http://www.malware.com
