How the "Stealth Attachment" trick works

bennett@peacefire.org

Exploit:
Grants a remote user the ability to run arbitrary code on your computer by sending you an email message containing an http:// link, if you read the message using Eudora mail and click on the link.

Requirements:

  1. The remote user must know that you are using Eudora. If you have ever sent them mail, they will have this information since messages sent with Eudora include an X-Mailer header like:
    X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
  2. The remote user must know the full path to the directory where your attachments are extracted to. This is easy to guess since it is usually either:
    C:\Eudora\Attach\
    for version 3.x, or
    C:\Program Files\Qualcomm\Eudora Pro\Attach\
    for Eudora Pro version 4.x, or
    C:\Program Files\Qualcomm\Eudora\Attach\
    for Eudora 4.3 or later. (Beginning with version 4.3, Eudora Light and Eudora Pro were merged into one version; Eudora 4.3 can operate either in "free mode" and display advertisements, or in "paid mode" without the ads if you pay a registration fee.) Because the remote user can see the version number as part of the X-Mailer header, it is possible to guess where the attachments directory is likely to be located.

How it works

The key vulnerability in Eudora is that it does not warn you if you click on a link pointing to a .lnk file. (This is the file extension for Windows shortcut files -- normally this extension is not visible in Windows Explorer, even if you have Windows Explorer set to "display file extensions for known file types".) Eudora already warns you if you click on a link to a file with the extension .exe, .com, or .bat. -- but it does not warn you about .lnk files. So a simple way of exploiting this would be to send the user two attachments:

By itself, this trick would not be very useful. A naive user might click on an attached .lnk file, and Eudora wouldn't warn them -- but a more experienced user would probably realize that there was something suspicious about a .lnk file sent to them by email.

For the trick be more effective, the user should think that they are clicking on a link in a Eudora mail message. When a message containing an http:// URL is displayed in Eudora, the URL is automatically made into a hyperlink, so that you can click on the URL and it will load into your default browser:

http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/

If the recipient is using Eudora, though, you can send them an HTML email message formatted so that the link looks like it points one place, but really points somewhere else. The following HTML:

<a href="file:///c:/eudora/attach/spy.lnk"
>http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/</a>
will be rendered in a Eudora email message as:

http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/

When the user views this message, it looks exactly as if someone has emailed them a plain-text email with a link in it. (In order to look "exactly like plain text email", of course, the message should not contain any HTML features like fonts or styled text.) When the user clicks on the link, the shortcut "spy.lnk" will be launched, causing the program "spy.exe" to run. (For the user not to notice anything suspicious, the "spy.exe" program should be invisible, and should also cause the URL
http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/
to open in the user's browser, which is what the user is expecting.)

Lastly, for the trick to be effective, the user should not see any reference to the attachments that were sent with the message. (By default, Eudora displays attachments in the message body with an icon and the line "Attachment converted:".) To hide the attachment icons, insert the lines

<x-html><!--
and
--></x-html>
around the attachments in the message. This way, the user will not see any reference to an extracted .exe or .lnk file, and the message will look exactly like a normal plain text message containing an http:// link.

Recommended fix

QUALCOMM recommends that users edit their Eudora.ini file and add the following line:

WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|
to their "[Settings]" section. (The default is to warn for all of these extensions except the "lnk" one.) Note the trailing "|" on the end -- this is necessary in order for Eudora to warn for "lnk" files, but the extra "|" can be confusing to users who intuitively understand "|" to mean "or" -- in which case it looks like the trailing "|" should not be necessary, but it's required by the Eudora parser.

Qualcomm has said that the next version of Eudora will warn for .lnk files as well by default.