CRIME iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerability

From: Wanja Eric Naef (IWS) (w.naef@private)
Date: Tue Nov 19 2002 - 16:50:43 PST

  • Next message: Kuo, Jimmy: "RE: CRIME Great presentation!!"

    FYI for Eudora Users.
    
    WEN
    
    ------------------------------------------------------------------------
    'Information is the currency of victory on the battlefield.'
    GEN Gordon Sullivan, CSA (1993)
    ------------------------------------------------------------------------
    
    Wanja Eric Naef
    Principal Researcher
    IWS - The Information Warfare Site
    http://www.iwar.org.uk
    
    ------------------------------------------------------------------------
    Join the IWS Infocon Mailing List @
    http://www.iwar.org.uk/general/mailinglist.htm
    ------------------------------------------------------------------------
    
    
    -----Original Message-----
    From: iDEFENSE Labs 
    Sent: 19 November 2002 23:04
    To: Wanja Eric Naef
    Subject: iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution
    Vulnerability
    
    iDEFENSE Security Advisory 11.19.02b:
    http://www.idefense.com/advisory/11.19.02b.txt
    Eudora Script Execution Vulnerability
    November 19, 2002
    
    I. BACKGROUND
    
    Qualcomm Inc.'s Eudora is a graphical e-mail client for Windows and
    Macintosh. More information about it is available at
    http://www.eudora.com .
    
    II. DESCRIPTION
    
    Remote exploitation of a weakness in Eudora could allow for the
    potential retrieval of sensitive information from a targeted Eudora
    user's computer.
    
    Eudora saves e-mail attachments in a predictable location.  Exploitation
    works as such: an attacker sends an e-mail to a Eudora user that directs
    him to a specific URL; the e-mail also contains an HTML-enabled e-mail
    attachment that contains scripting code. If the user is socially
    engineered into clicking on the link, then a frames page can load the
    attachment in one of its frames. The attachment can then retrieve
    (within the security settings of the local zone) the content of any
    local file, and transmit it back to the attacker. The attack script, in
    turn, can retrieve the contents of any local file and transmit it back
    to the attacker. Since the issue is simple to exploit, and the issue has
    still not been addressed, a sample attack script is not included in this
    advisory.
    
    III. ANALYSIS
    
    Exploitation could lead to further compromise if the attacker is able to
    retrieve sensitive files such as the Windows SAM table. It is also
    possible for the attacker to obtain other confidential information.  A
    secure implementation would involve using a random string within the
    directory structure to prevent this class of attacks (e.g. Mozilla
    e-mail client, etc.).
    
    IV. DETECTION
    
    Eudora 5.1.1 and 5.2 are confirmed to be vulnerable; other versions may
    be affected as well.
    
    To determine susceptibility, send an e-mail with an attachment to a test
    Eudora user. Check if Eudora stores it in the C:\Program
    Files\Qualcomm\Eudora\attach\ directory (assuming a default
    installation). 
    
    V. WORKAROUND
    
    Change the default location where Eudora stores e-mail attachments.
    
    VI. VENDOR RESPONSE
    
    A Eudora Tech Support Specialist provided the following response (from
    head Eudora developer):
    
    "In rare circumstances, certain ill-formatted MIME boundaries can cause
    Eudora to crash. It is exceedingly unlikely that this problem could be
    exploited to undermine security. The problem will be fixed in the next
    release of Eudora."
    
    [iDEFENSE note: The response does not address the security implications
    of this advisory. Two attempts were made to change or clarify Qualcomm's
    response; all to no avail.]
    
    VII. CVE INFORMATION
    
    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2002-1210 to this issue.
    
    VIII. DISCLOSURE TIMELINE
    
    09/12/2002	Issue disclosed to iDEFENSE
    10/14/2002	Qualcomm notified (eudora-custserv@private)
    10/14/2002	iDEFENSE clients notified
    10/15/2002	Autoresponse recieved
    10/31/2002	Second attempt at contact 
    11/07/2002	Third attempt at contact
    11/08/2002	Vendor response from J. Michael L.
    (mlreply@private)
    11/10/2002	Clarification request of Vendor Response from iDEFENSE
    11/11/2002	Same response from J. Michael L. (mlreply@private)
    11/12/2002	Second clarification request of Vendor Response from
    iDEFENSE
    11/19/2002 	Still no reply for vendor clarification of response
    11/19/2002	Public disclosure
    
    IX. CREDIT
    
    Bennett Haselton (bennett@private) discovered this vulnerability.
    



    This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 17:12:43 PST