Exploit:
Grants a remote user the ability to run arbitrary code on
your computer by sending you an email message containing
an http:// link, if you read the message using Eudora mail
and click on the link.
Requirements:
The key vulnerability in Eudora is that it does not warn you if you click on a link pointing to a .lnk file. (This is the file extension for Windows shortcut files -- normally this extension is not visible in Windows Explorer, even if you have Windows Explorer set to "display file extensions for known file types".) Eudora already warns you if you click on a link to a file with the extension .exe, .com, or .bat. -- but it does not warn you about .lnk files. So a simple way of exploiting this would be to send the user two attachments:
By itself, this trick would not be very useful. A naive user might click on an attached .lnk file, and Eudora wouldn't warn them -- but a more experienced user would probably realize that there was something suspicious about a .lnk file sent to them by email.
For the trick be more effective, the user should think that they are clicking
on a link in a Eudora mail message. When a message containing
an http:// URL is displayed in Eudora, the URL is automatically
made into a hyperlink, so that you can click on the URL and it
will load into your default browser:
http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/
If the recipient is using Eudora, though, you can send them an
HTML email message formatted so that the link looks like
it points one place, but really points somewhere else. The following
HTML:
<a href="file:///c:/eudora/attach/spy.lnk" >http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/</a>will be rendered in a Eudora email message as:
Lastly, for the trick to be effective, the user should not see any reference to the attachments that were sent with the message. (By default, Eudora displays attachments in the message body with an icon and the line "Attachment converted:".) To hide the attachment icons, insert the lines
<x-html><!--and
--></x-html>around the attachments in the message. This way, the user will not see any reference to an extracted .exe or .lnk file, and the message will look exactly like a normal plain text message containing an http:// link.
QUALCOMM recommends that users edit their Eudora.ini file and add the following line:
WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|to their "[Settings]" section. (The default is to warn for all of these extensions except the "lnk" one.) Note the trailing "|" on the end -- this is necessary in order for Eudora to warn for "lnk" files, but the extra "|" can be confusing to users who intuitively understand "|" to mean "or" -- in which case it looks like the trailing "|" should not be necessary, but it's required by the Eudora parser.
Qualcomm has said that the next version of Eudora will warn for .lnk files as well by default.