SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (E-mail Client)  >   Eudora Vendors:   Qualcomm
Eudora E-mail Client May Execute Remotely Supplied Scripting Code in the Local Computer Zone
SecurityTracker Alert ID:  1005664
SecurityTracker URL:  http://securitytracker.com/id/1005664
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 20 2002
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network

Version(s): 5.1.1 and 5.2
Description:   A vulnerability was reported in the Eudora e-mail client software. A remote user may be able to cause arbitrary scripting code to be executed on the target user's computer in the Local Computer security zone.

iDEFENSE reported that a remote user could retrieve sensitive information from a target user's (victim's) computer.

A remote user can send specially crafted e-mail containing a URL and an HTML attachment with embedded scripting code to a target user. The URL must refer to the location where Eudora will store the HTML attachment (Eudora reportedly uses predicatable file paths for storing attachments). When the target user clicks on the URL, the attachment will load in a frame and the embedded scripting will run in the context of the Local Computer zone. This scripting code may then retrieve the contents of local files and send the contents back to the remote user.

Impact:   A remote user can cause arbitrary scripting code to be executed in the Local Computer zone, if the target user clicks on a URL provided by the remote user.
Solution:   No solution was available at the time of this entry. The vendor reportedly plans to fix this in the next release.
Vendor URL:  www.eudora.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Date:  Tue, 19 Nov 2002 18:07:24 -0500
Subject:  [Full-Disclosure] iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 11.19.02b:
http://www.idefense.com/advisory/11.19.02b.txt
Eudora Script Execution Vulnerability
November 19, 2002

I. BACKGROUND

Qualcomm Inc.'s Eudora is a graphical e-mail client for Windows and
Macintosh. More information about it is available at
http://www.eudora.com .

II. DESCRIPTION

Remote exploitation of a weakness in Eudora could allow for the
potential retrieval of sensitive information from a targeted Eudora
user's computer.

Eudora saves e-mail attachments in a predictable location. 
Exploitation works as such: an attacker sends an e-mail to a Eudora
user that directs him to a specific URL; the e-mail also contains an
HTML-enabled e-mail attachment that contains scripting code. If the
user is socially engineered into clicking on the link, then a frames
page can load the attachment in one of its frames. The attachment can
then retrieve (within the security settings of the local zone) the
content of any local file, and transmit it back to the attacker. The
attack script, in turn, can retrieve the contents of any local file
and transmit it back to the attacker. Since the issue is simple to
exploit, and the issue has still not been addressed, a sample attack
script is not included in this advisory.

III. ANALYSIS

Exploitation could lead to further compromise if the attacker is able
to retrieve sensitive files such as the Windows SAM table. It is also
possible for the attacker to obtain other confidential information. 
A secure implementation would involve using a random string within
the directory structure to prevent this class of attacks (e.g.
Mozilla e-mail client, etc.).

IV. DETECTION

Eudora 5.1.1 and 5.2 are confirmed to be vulnerable; other versions
may be affected as well.

To determine susceptibility, send an e-mail with an attachment to a
test Eudora user. Check if Eudora stores it in the C:\Program
Files\Qualcomm\Eudora\attach\ directory (assuming a default
installation). 

V. WORKAROUND

Change the default location where Eudora stores e-mail attachments.

VI. VENDOR RESPONSE

A Eudora Tech Support Specialist provided the following response
(from head Eudora developer):

"In rare circumstances, certain ill-formatted MIME boundaries can
cause Eudora to crash. It is exceedingly unlikely that this problem
could be exploited to undermine security. The problem will be fixed
in the next release of Eudora."

[iDEFENSE note: The response does not address the security
implications of this advisory. Two attempts were made to change or
clarify Qualcomm's response; all to no avail.]

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1210 to this issue.

VIII. DISCLOSURE TIMELINE

09/12/2002	Issue disclosed to iDEFENSE
10/14/2002	Qualcomm notified (eudora-custserv@eudora.com)
10/14/2002	iDEFENSE clients notified
10/15/2002	Autoresponse recieved
10/31/2002	Second attempt at contact 
11/07/2002	Third attempt at contact
11/08/2002	Vendor response from J. Michael L. (mlreply@qualcomm.com)
11/10/2002	Clarification request of Vendor Response from iDEFENSE
11/11/2002	Same response from J. Michael L. (mlreply@qualcomm.com)
11/12/2002	Second clarification request of Vendor Response from
iDEFENSE
11/19/2002 	Still no reply for vendor clarification of response
11/19/2002	Public disclosure

IX. CREDIT

Bennett Haselton (bennett@peacefire.org) discovered this
vulnerability.



Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world  from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPdrDkkrdNYRLCswqEQJc7QCfSGedu5O28cnm78OE1J1y9LBRwmsAoImw
bNiGiW0ruhVfLb/5Ek3s8tIg
=/ojw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC