lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200207251536.g6PFaQI6040330@mail8.megamailservers.com>
From: http-equiv at malware.com (http-equiv@...ite.com)
Subject: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1

Doug Monroe <monwel@...erhack.net> said:

> "http-equiv@...ite.com" wrote:
> > 
> > Tuesday, July 23, 2002
> > Trivial silent delivery and installation of an executable on a 
target
> > computer. This  can be accomplished with the default installation 
of
> > the mail client Eudora  5.1.1:
> > 'allow executables in HTML content' DISABLED
> > 'use Microsoft viewer' ENABLED
> [snip]
> > Working Example:
> [snip]
> > http://www.malware.com/boodora.txt
> > 
> > Notes: disable 'use Microsoft viewer'
> 
> A Eudora expert I am not, but I suppose one could also change
>   HKCU/software/qualcomm/eudora/launchmanager/path#2  
> from 
> "c:\windows\application data\qualcomm\eudora\embedded" 
>  or
> "c:\program files\qualcomm\eudora pro\embedded" 
> to some other, non-default folder name. 
> New folder must exist before running eudora again.
> 
> And... add mhtml to "WarnExtentions#X" key values?

Doug, excellent point.

1. Yes, if you can relocate the embedded folder. Better.

2. No. adding warnings to extensions appears to be useless:

Just tested something here. Typically IE can or will open files 
depending what the contents are regardless of the extension that it 
is: <html> tag in a gif or some other file type should or can be 
rendered by IE for what the contents are, not the extension.

New Note 25.7.02: trying that with the above demo, creating & 
depositing only malware.exe and malware [no file exetension] yielded 
some very interesting results.

<XETA http-equiv=refresh 
content="1; &#13;&#10;url=Xile://C:\WINDOWS\Xpplication 
Data\Qualcomm\Eudora\Xmbedded\malware">

Expecting IE to spring open with the non-extension'd mhtml file fully 
functional, we find that in fact it does not. We find that the 
malware.exe is immediately executed.

Removing the mhtml file from the embedded folder and leaving only 
malware.exe in there, the meta refresh pointing to 'malware' only [no 
extension at all] appears to execute the *.exe directly -- no need 
for the mhtml file at all.

Could be an anomaly with this machine, but simply send yourself the 
meta refresh pointing to malware minus extension, place an executable 
with the same name in the embedded folder and see if it executes.

No time right now to grind it into powder.

-- 
http://www.malware.com




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ