Bugtraq mailing list archives
Eudora Pro & Outlook Overflow - too long filenames again
From: Ultor () HERT ORG (Ultor)
Date: Mon, 15 May 2000 14:56:00 +0200
==== APPLICATIONS AFFECTED Qualcomm Eudora Pro (all versions) Outlook Express 4.* Microsoft Outlook 98 Eudora Light and Outlook Express 5.0 are NOT affected ==== DESCRIPTION These e-mail/news programs improperly handle filenames of files attached in e-mails. Too long filename can result in a buffer overflow condition when the program processes the attachment and tries to save the temporary file. As the reader generally processes the attachments when the user reads the message, the buffer overflow condition can be initiated. In Outlook if filename got graphic file extension then the buffer overflow condition can be initiated when trying to view the message (my last post on BUGTRAQ) if not then overflow will occur if user will try to save/open attached file. In Eudora Pro e-mail is processed while downloading mail from server so buffer overflow occurs when message is processed from spool directory. This can even lock e-mail account for the Eudora Pro users. As i know same problem is in Microsoft Outlook 98 version. ==== EXAMPLE Example Outlook e-mails are attached with this message (sorry to all Eudora Pro users for latest problems). ==== EXPLOITATION possible ... have fun =) ==== PATCHES If you use Outlook 98 or 4.* then change it on 5.* version. If you like Eudora style then use Eudora Light or wait for Eudora Pro patches. PS. In my opinion saving temporary files with same filenames as files attached in e-mail is very lame. They should use random filenames. ==== CREDITS Greetz for notice that Eudora Pro is vulnerable for same bug as Outlook to: Felicia Catherine Kaye <feline () feline pp se> Michael Smith <mike () icon co za> Greeetz to HERT,Lam3rZ,TESO ---------------------- Mark Bialoglowy [Ultor () hert org] --- Network Security Consultant Age: 19 -- Country: PL -- PGP: http://www.hert.org/pgp/Ultor.asc CODE: C / Delphi / w32asm / Linux / SQL / CGI / HTML / VRML / AI ---------------------- <HR NOSHADE> <UL> <LI>application/x-zip-compressed attachment: lfilename_bug.zip </UL>
Current thread:
- Eudora Pro & Outlook Overflow - too long filenames again Ultor (May 15)
- Fwd: [nohack] Yet another way to disguise files. Josh Rollyson (May 16)
- Re: Fwd: [nohack] Yet another way to disguise files. Ron DuFresne (May 16)
- Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Michal Zalewski (May 18)
- Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) chris neill (May 19)
- Jolt2 crashes tcpdump Earl T. Carter (May 30)
- Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Cory Visi (May 31)
- IBM HTTP SERVER / APACHE Marek Roy (May 31)
- Re: Fwd: [nohack] Yet another way to disguise files. Peter W (May 18)
- Re: Fwd: [nohack] Yet another way to disguise files. Ron DuFresne (May 16)
- Fwd: [nohack] Yet another way to disguise files. Josh Rollyson (May 16)
- Re: Eudora Pro & Outlook Overflow - too long filenames again Henrik .H (May 16)
- <Possible follow-ups>
- Re: Eudora Pro & Outlook Overflow - too long filenames again Microsoft Security Response Center (May 16)