-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.19.02b: http://www.idefense.com/advisory/11.19.02b.txt Eudora Script Execution Vulnerability November 19, 2002 I. BACKGROUND Qualcomm Inc.'s Eudora is a graphical e-mail client for Windows and Macintosh. More information about it is available at http://www.eudora.com . II. DESCRIPTION Remote exploitation of a weakness in Eudora could allow for the potential retrieval of sensitive information from a targeted Eudora user's computer. Eudora saves e-mail attachments in a predictable location. Exploitation works as such: an attacker sends an e-mail to a Eudora user that directs him to a specific URL; the e-mail also contains an HTML-enabled e-mail attachment that contains scripting code. If the user is socially engineered into clicking on the link, then a frames page can load the attachment in one of its frames. The attachment can then retrieve (within the security settings of the local zone) the content of any local file, and transmit it back to the attacker. The attack script, in turn, can retrieve the contents of any local file and transmit it back to the attacker. Since the issue is simple to exploit, and the issue has still not been addressed, a sample attack script is not included in this advisory. III. ANALYSIS Exploitation could lead to further compromise if the attacker is able to retrieve sensitive files such as the Windows SAM table. It is also possible for the attacker to obtain other confidential information. A secure implementation would involve using a random string within the directory structure to prevent this class of attacks (e.g. Mozilla e-mail client, etc.). IV. DETECTION Eudora 5.1.1 and 5.2 are confirmed to be vulnerable; other versions may be affected as well. To determine susceptibility, send an e-mail with an attachment to a test Eudora user. Check if Eudora stores it in the C:\Program Files\Qualcomm\Eudora\attach\ directory (assuming a default installation). V. WORKAROUND Change the default location where Eudora stores e-mail attachments. VI. VENDOR RESPONSE A Eudora Tech Support Specialist provided the following response (from head Eudora developer): "In rare circumstances, certain ill-formatted MIME boundaries can cause Eudora to crash. It is exceedingly unlikely that this problem could be exploited to undermine security. The problem will be fixed in the next release of Eudora." [iDEFENSE note: The response does not address the security implications of this advisory. Two attempts were made to change or clarify Qualcomm's response; all to no avail.] VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1210 to this issue. VIII. DISCLOSURE TIMELINE 09/12/2002 Issue disclosed to iDEFENSE 10/14/2002 Qualcomm notified (eudora-custservat_private) 10/14/2002 iDEFENSE clients notified 10/15/2002 Autoresponse recieved 10/31/2002 Second attempt at contact 11/07/2002 Third attempt at contact 11/08/2002 Vendor response from J. Michael L. (mlreplyat_private) 11/10/2002 Clarification request of Vendor Response from iDEFENSE 11/11/2002 Same response from J. Michael L. (mlreplyat_private) 11/12/2002 Second clarification request of Vendor Response from iDEFENSE 11/19/2002 Still no reply for vendor clarification of response 11/19/2002 Public disclosure IX. CREDIT Bennett Haselton (bennettat_private) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listservat_private, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendlerat_private www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPdrDkkrdNYRLCswqEQJc7QCfSGedu5O28cnm78OE1J1y9LBRwmsAoImw bNiGiW0ruhVfLb/5Ek3s8tIg =/ojw -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 10:36:56 PST