Qualcomm's Eudora E-mail Client Can Send Attachments In Certain Cases Without the User's Knowledge
SecurityTracker Alert ID: 1001355|
SecurityTracker URL: http://securitytracker.com/id/1001355
(Links to External Site)
Date: Apr 18 2001
Disclosure of system information, Disclosure of user information|
Exploit Included: Yes |
Version(s): 5.0.2 for Windows|
It was reported that Qualcomm's Eudora e-mail client may, under certain circumstances, attach files to outgoing forwarded e-mail without the sender's knowledge.|
This is reportedly a long standing but persistent vulnerability in Eudora.
Eudora reportedly pre-parses MIME-messages when storing the mail in the mbox file, extracting attachments and storing them in a separate attachment directory. The attachment is replaced by certain plain text on a single line with no leading whitespace in the message body where the MIME-part was located (e.g., Attachment Converted: "<filepath>").
Due to this implementation, a remote user could send a message to the victim that contained an "attachment converted" line in the text of the message pointing to a known file on the victim's host. If the message is then forwarded by the victim, the specified file will be attached to the outgoing forwarded message.
It is reported that Eudora does not show the message as containing attachments.
A user may be tricked into forwarding outbound e-mail that will be sent with an arbitrary attachment from the user's host where the user does not intend to send an attachment.|
No solution was available at the time of this entry.|
Vendor URL: www.eudora.com/ (Links to External Site)
|Underlying OS: Apple (Legacy "classic" Mac), Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)|
Source Message Contents
Subject: Eudora file leakage problem (still)|
An attacker may be able to get any file from a users hard drive if he can
make the recieving party to forward a mail containing a false attachment
reference to this local file.
I remember having submitted this bug to Qualcomm a long time ago (> 4 years)
but this security problem still persists.
Eudora pre-parses MIME-messages when storing the mail in the mbox file. This
is done by extracting attachments and storing them in a separate attachment
directory. This is fine, and saves space - although it's not the best for
those who want to archive their mail unmodified.
The problem is that the attachment is replaced by e.g. the plain text
Att*chment Converted: "<filepath>"
on a single line with no leading whitespace in the message body where the
MIME-part was found. (Read _Attachment_ above)
An attacker might therefore be able to "steal" known files from anywhere in
the users filesystem by a combination of this problematic implementation and
some social skills.
1. The attacker sends a message to the user containing a line like this
(beware you who reads this with eudora, you would be seeing an icon here)
Attachment Converted: "c:\pagefile.sys"
with the path to a known file that the attacker would like to steal.
To make it more real, he would also include more _real_ attachments to
dim the effect.
2. In the letter, the receiving user is urged to forward this mail to
someone maybe to check if the mailsystem works, or for some other reason.
3. Done. The local file is attached to the outgoing mail.
* Works with the latest stable (5.0.2) Eudora Windows.
* The full file path to the files are required.
* Eudora does NOT show the message as containing attachments in the
mail listning if it only contains these fake attachments. This can
of course be circumvented just by adding a real attachment as well.
* The mail has to be forwarded by the mail recipient.