In short: ========= An attacker may be able to get any file from a users hard drive if he can make the recieving party to forward a mail containing a false attachment reference to this local file. ---- I remember having submitted this bug to Qualcomm a long time ago (> 4 years) but this security problem still persists. Eudora pre-parses MIME-messages when storing the mail in the mbox file. This is done by extracting attachments and storing them in a separate attachment directory. This is fine, and saves space - although it's not the best for those who want to archive their mail unmodified. The problem is that the attachment is replaced by e.g. the plain text Att*chment Converted: "<filepath>" on a single line with no leading whitespace in the message body where the MIME-part was found. (Read _Attachment_ above) An attacker might therefore be able to "steal" known files from anywhere in the users filesystem by a combination of this problematic implementation and some social skills. 1. The attacker sends a message to the user containing a line like this (beware you who reads this with eudora, you would be seeing an icon here) Attachment Converted: "c:\pagefile.sys" with the path to a known file that the attacker would like to steal. To make it more real, he would also include more _real_ attachments to dim the effect. 2. In the letter, the receiving user is urged to forward this mail to someone maybe to check if the mailsystem works, or for some other reason. 3. Done. The local file is attached to the outgoing mail. Notes: ====== * Works with the latest stable (5.0.2) Eudora Windows. * The full file path to the files are required. * Eudora does NOT show the message as containing attachments in the mail listning if it only contains these fake attachments. This can of course be circumvented just by adding a real attachment as well. * The mail has to be forwarded by the mail recipient. /magnus -- http://x42.com/
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 00:57:22 PDT