• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Qualcomm Eudora Hidden Attachment Execution Vulnerability

Severity: HIGH

Description:

Eudora is an email program for the Windows platform. Eudora contains a vulnerability which may make it possible for an attacker to excecute arbitrary code on a remote system even if 'allow executables in HTML content' is disabled, if the 'Use Microsoft viewer' option is enabled.

When attachments are 'embedded' in HTML email messages (for example, as images), they are stored by Eudora in a special directory. The HTML email can then reference these files using their Content ID as part of the URL ('cid:content-id'). Forms within HTML email can set their 'action' parameter to be an attached file using the Content ID in the same way. When these forms are submitted by users reading email, the webpage attachment is loaded from the 'embedded' directory in another browser (this is dependent on 'Use Microsoft Viewer' being set).

If the HTML page contains script code such as an ActiveX control, it is possible for attackers to execute another executable in the same directory as the webpage attachment.

Therefore if an attacker constructs an HTML email message with a form and two attachments 'embedded' in the message, one being the 'webpage' which serves as the 'action' of the form and the other being an arbitrary executable, the executable can be run on the host if the recipient 'submits' the form.

The user is not made aware of the executable being run on their host. If the executable is a backdoor or trojan, the attacker may gain remote access to the host.

It should be noted that certain 'tricks' can be employed to assist in carrying out this attack. An HTML form 'submit' button can be disguised in MSIE to look like a regular anchor link. This may fool users into clicking the 'submit' button.

** Eudora 5.1.1 is also stated as being vulnerable to this issue. The problem stems from Eudora not treating files with a '.MHTML' extension with caution. Thus, an attacker can send an email consisting of two files: malware.mhtml and malware.exe. When Eudora receives these files, it will automatically launch the browser and automatically execute the malicious attachment.

Affected Products:

• Qualcomm Eudora 5.1.0
• Qualcomm Eudora 5.1.1

References:

• Qualcomm: Eudora Product Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.