Fwd: [SNS Advisory No.55 rev.2] Eudora 5.x for Windows Buffer Overflow
Vulnerability
Julian Field
mailscanner at ecs.soton.ac.uk
Sun Aug 11 00:38:45 IST 2002
The following was reported on the Bugtraq mailing list on Thursday, and I
have just got around to reading it. Apologies for the 2 day delay. Please
note that there have so far been no reported sightings of the exploit being
used in a real attack, but it's best to be prepared...
From discussion on the list, there appears to be some confusion about
exactly what versions/languages of Eudora are exploitable, and under what
versions of Windows.
I have written a patch which will detect an attack and neutralize it, so
that the attack no longer exists in the replacement warning message that is
sent on to the intended recipient. The patch is attached to this message.
Notes about this patch:
(A) The attached patch file affects 2 files: mailscanner and sweep.pl. You
should save copies of these in case the "patch" command makes a mess.
If you apply the patch using
patch < 3.22-10.Eudora.bug.patch
and get a load of errors, your version of patch is too old to understand
multiple files in 1 patch. I recommend you upgrade your copy of "patch" to
a more recent version and try again. However, if you cannot upgrade it for
some reason or applying the patch still gives you errors, try this:
1. Restore the files "mailscanner" and "sweep.pl" from the copies you just
made.
2. Edit the patch file (it's plain text) and split it into 2 files: 1 that
only edits "mailscanner" and 1 that only edits "sweep.pl".
3. Apply each of the 2 new patch files in turn using a syntax similar to
the example "patch" command above.
(B) I have only tested this patch against MailScanner 3.22-10, so proceed
with caution if you are running an older version! The new code should work
fine in quite old versions of MailScanner, but the "patch" command may not
be able to patch the files automatically for you, so in this case you will
have to edit the code yourself.
(C) If you would like me to produce 3.22-11 containing this patch (and the
exploit of Exim I mentioned earlier today) then drop me a line and I'll do
it in the morning.
>Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq at securityfocus.com>
>List-Help: <mailto:bugtraq-help at securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
>Delivered-To: mailing list bugtraq at securityfocus.com
>Delivered-To: moderator for bugtraq at securityfocus.com
>Date: Thu, 08 Aug 2002 10:15:21 +0900
>From: Atsushi Nishimura <a.nisimr at lac.co.jp>
>To: bugtraq at securityfocus.com, news at securiteam.com
>Subject: [SNS Advisory No.55 rev.2] Eudora 5.x for Windows Buffer Overflow
>Vulnerability
>X-Mailer: Becky! ver. 2.05.04
>X-ECS-MailScanner: Found to be clean, Found to be clean
>
>----------------------------------------------------------------------
>SNS Advisory No.55
>Eudora 5.x for Windows Buffer Overflow Vulnerability rev.2
>
>Problem first discovered: 6 Jun 2002
>Published: 5 Aug 2002
>Last revised: 8 Aug 2002
>----------------------------------------------------------------------
>
>Overview:
>---------
> Eudora 5.x for Windows contains a buffer overflow vulnerability,
> which could allow a remote attacker to execute arbitrary code.
>
>Problem Description:
>--------------------
> Eudora developed and distributed by QUALCOMM Inc.
> (http://www.qualcomm.com/), is a Mail User Agent running on Windows
> 95/98/2000/ME/NT 4.0 and MacOS 8.1 or later.
>
> The buffer overflow occurs when Eudora receives a message using 139 bytes
> or more of string as a boundary, which is used to divide a multi-part
> message into separate parts. In our verification environment, we have
> found that this could allow arbitrary commands to be executed.
>
>Tested Version:
>---------------
> Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese]
> Eudora 5.1.1 for Windows (Sponsored Mode) [English]
>
>Tested OS:
>----------
> Microsoft Windows 2000 Professional SP2 [Japanese]
> Microsoft Windows 98 SE [Japanese]
>
>Solution:
>---------
> You can limit your exposure to this problem by using a content filtering
> software which screen out email messages using 139 bytes or more of
> string as a boundary.
>
> QUALCOMM Inc. reported that this problem will be fixed in the next
> release [English].
>
> Livin' on the EDGE Co., Ltd. eported that this problem will be fixed in
> Eudora5.1-J for Windows [Japanese] of the next release.
>
>Communication background:
>-------------------------
> 6 Jun 2002 : We discovered the vulnerability.
> 6 Jun 2002 : We reported the findings to win-eudora-bugs at kuni.co.jp
> 14 Jun 2002 : the findings were reported again to
> win-eudora-bugs at kuni.co.jp
> 17 Jun 2002 : We contacted QUALCOMM Inc. .
> 18 Jun 2002 : QUALCOMM Inc. sent a reply stating that they had started an
> investigation of the problem.
> 3 Jul 2002 : We asked QUALCOMM Inc. about the progress of the
> investigation
> 19 Jul 2002 : We asked QUALCOMM Inc. again about the progress of the
> investigation
> 24 Jul 2002 : We informed QUALCOMM Inc. about the announcement schedule
> of this advisory
> 25 Jul 2002 : QUALCOMM Inc. reported that this problem will be fixed in
> the next release
> 5 Aug 2002 : We decided to disclose this vulnerability due to concern
> over the potential consequences this issue may cause.
> win-eudora-bugs at kuni.co.jp has not provided any comments
> on this issue as of August 5, 2002.
> 6 Aug 2002 : It turns out that connection has not reached Livin' on the
> EDGE Co., Ltd. (user support of Japanese version). Livin'
> on the EDGE Co., Ltd. reported that this problem will be
> fixed in the next release immediately.
>
>Discovered by:
>--------------
> Nobuo Miwa (LAC / n-miwa at lac.co.jp)
>
>Revision History:
>-----------------
> 5 Aug 2002 : * Initial release
> 8 Aug 2002 : * Added the detail of problem description
> * Changed "Livin' on the EDGE Co., Ltd." into
> "win-eudora-bugs at kuni.co.jp"
> * Added mitigation strategy to Solution
> * Added the information from Livin' on the EDGE Co., Ltd. to
> Solution
> * Added the report from Livin' on the EDGE Co., Ltd. to
> Communication background
>
>Disclaimer:
>-----------
> All information in these advisories are subject to change without any
> advanced notices neither mutual consensus, and each of them is released
> as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
> caused by applying those information.
>
>------------------------------------------------------------------
>SecureNet Service(SNS) Security Advisory <snsadv at lac.co.jp>
>Computer Security Laboratory, LAC http://www.lac.co.jp/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.22-10.Eudora.bug.patch
Type: application/octet-stream
Size: 2619 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020811/0c6edb7c/3.22-10.Eudora.bug.obj
-------------- next part --------------
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list