feeble.you!dora.exploit
Date: Sun, 18 Mar 2001 01:38:46 -0800
From: "http-equiv@excite.com" <http-equiv@excite.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: feeble.you!dora.exploit
Sunday, March 18, 2001
Silent delivery and installation of an executable on a target computer. No
client input other than opening an email using Eudora 5.02 - Sponsored Mode
provided 'use Microsoft viewer' and 'allow executables in HTML content' are
enabled.
One wonders why they are there in the first place.
This can be achieved with relative ease as follows:
1. Create yet another HTML mail message as follows:
<img SRC="cid:mr.malware.to.you" style="display:none">
<img id=W0W src="cid:malware.com" style="display:none">
<center><h6>YOU!DORA</h6></center>
<IFRAME id=malware width=10 height=10 style="display:none" ></IFRAME>
<script>
// 18.03.01 http://www.malware.com
malware.location.href=W0W.src
</script>
Where our first image is our executable. Our second image comprises a simple
JavaScripting and ActiveX control.
What happens is, once the mail message is opened in Eudora 5.02 - Sponsored
Mode, the two 'embedded' images are silently and instantly transferred to
the 'Embedded' folder. Our very simple JavaScript location.href then
automatically calls our second image comprising the simple JavaScripting and
ActiveX control [note: knowing the file names and locations are not
necessary at all], which is then displayed out of sight in our iframe. This
inturn executes our *.exe.
Very simple. Because our *.exe and our simple JavaScripting and ActiveX
control reside in the same folder [the so-called "Embedded' folder], and
because it is automatically called to our iframe, everything is instant.
No warning, no nothing. The *.exe is executed instantly. No client input
other than opening the email.
2. Working Example. Harmless *.exe. incorporated. Tested on win98, with
IE5.5 (all of its patches and so-called service packs), Eudora 5.02 -
Sponsored Mode with 'use Microsoft viewer' and 'allow executables in HTML
content' (this refers to scripting, not literally executables).
The following is in plaintext. We are unable to figure out how to import a
single message into Eudora's inbox. Perhaps some bright spark knows.
Otherwise, incorporate the text sample into a telnet session or other and
fire off to your Eudora inbox:
http://www.malware.com/you!DORA.txt
Notes: disable 'use Microsoft viewer' and 'allow executables in HTML
content'
---
http://www.malware.com
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/