[Esa-l] feeble.you!dora.exploit (fwd)

John D. Hardin jhardin at wolfenet.com
Tue Mar 20 06:41:21 PST 2001 

A reason for the paranoid among us to disable webbugs...

Fortunately SCRIPT tags are always defanged.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Your mouse has moved. Your Windows Operating System must be
  relicensed due to this hardware change. Please contact Microsoft
  to obtain a new activation key. If this hardware change results in
  added functionality you may be subject to additional license fees.
  Your system will now shut down. Thank you for choosing Microsoft.
-----------------------------------------------------------------------
   2 days until Mir deorbits


---------- Forwarded message ----------
Date: Sun, 18 Mar 2001 01:38:46 -0800
From: "http-equiv at excite.com" <http-equiv at excite.com>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: feeble.you!dora.exploit

Sunday, March 18, 2001


Silent delivery and installation of an executable on a target computer. No
client input other than opening an email using Eudora 5.02 - Sponsored Mode
provided 'use Microsoft viewer' and 'allow executables in HTML content' are
enabled.

One wonders why they are there in the first place.

This can be achieved with relative ease as follows:

1. Create yet another HTML mail message as follows:

<DEFANGED_IMG SRC="cid:mr.malware.to.you" DEFANGED_STYLE="display:none">
<DEFANGED_IMG id=W0W src="cid:malware.com"   DEFANGED_STYLE="display:none">
<center><h6>YOU!DORA</h6></center>
<DEFANGED_IFRAME  id=malware width=10 height=10 DEFANGED_STYLE="display:none" ></IFRAME>

  <DEFANGED_script>
// 18.03.01 http://www.malware.com
malware.location.href=W0W.src
</script>

Where our first image is our executable. Our second image comprises a simple
JavaScripting and ActiveX control.

What happens is, once the mail message is opened in Eudora 5.02 - Sponsored
Mode, the two 'embedded' images are silently and instantly transferred to
the 'Embedded' folder. Our very simple JavaScript location.href then
automatically calls our second image comprising the simple JavaScripting and
ActiveX control [note: knowing the file names and locations are not
necessary at all], which is then displayed out of sight in our iframe. This
inturn executes our *.exe.

Very simple. Because our *.exe and our simple JavaScripting and ActiveX
control reside in the same folder [the so-called "Embedded' folder], and
because it is automatically called to our iframe, everything is instant.

No warning, no nothing. The *.exe is executed instantly. No client input
other than opening the email.

2. Working Example. Harmless *.exe. incorporated. Tested on win98, with
IE5.5 (all of its patches and so-called service packs), Eudora 5.02 -
Sponsored Mode with 'use Microsoft viewer' and 'allow executables in HTML
content' (this refers to scripting, not literally executables).

The following is in plaintext. We are unable to figure out how to import a
single message into Eudora's inbox. Perhaps some bright spark knows.
Otherwise, incorporate the text sample into a telnet session or other and
fire off to your Eudora inbox:

http://www.malware.com/you!DORA.txt

Notes: disable 'use Microsoft viewer' and 'allow executables in HTML
content'

---
http://www.malware.com

More information about the esd-l mailing list