Eudora Attachment Buffer Overflow

whizENEXT.DYNDNS.ORG

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Ben Laurie: "OpenSSL/SSLeay Security Alert"
• Previous message: Aleph One: "The default permissions on /dev/kmem is insecure."

I have found another problem with Eudora, attachments, and long filenames that
is similar to the the problem I found last year.

If two messages are sent to an Eudora 4.1 user that have an attachment with a
filename of around 231 or more, the next time the user checkes his mail Eudora
crashes.  I say 231 because C:\Program Files\Eudora\Attach\ is 31 characters +
231 = 262 = longer then Windows can handle.

Eudora trucates the long filename correctly and thats why you cant't send just
one messages with a long name, like you use to be able to do with Eudora 4.0.
But it truncates it so the the path length is 259 characters which is the
maximum.  Then when it receives the second attachment it truncates, and trys to
add a 1 to the end, this is where it crashes.  This allows you to modify the
return address to point to arbitrary code.

Here is how i tested:
Send message to myself with attchment that has a long filename
Resend exact message
Check my mail
Eudora crashes

Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are
affected.

The vendor of Eudora, Qualcomm was notified of this problem on 3/12/99.

-whiz
whizenext.dyndns.org
http://enext.dyndns.org/~whiz/

• Next message: Ben Laurie: "OpenSSL/SSLeay Security Alert"
• Previous message: Aleph One: "The default permissions on /dev/kmem is insecure."