OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Tue Nov 19 2002 - 17:07:24 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 11.19.02b:
    http://www.idefense.com/advisory/11.19.02b.txt
    Eudora Script Execution Vulnerability
    November 19, 2002

    I. BACKGROUND

    Qualcomm Inc.'s Eudora is a graphical e-mail client for Windows and
    Macintosh. More information about it is available at
    http://www.eudora.com .

    II. DESCRIPTION

    Remote exploitation of a weakness in Eudora could allow for the
    potential retrieval of sensitive information from a targeted Eudora
    user's computer.

    Eudora saves e-mail attachments in a predictable location.
    Exploitation works as such: an attacker sends an e-mail to a Eudora
    user that directs him to a specific URL; the e-mail also contains an
    HTML-enabled e-mail attachment that contains scripting code. If the
    user is socially engineered into clicking on the link, then a frames
    page can load the attachment in one of its frames. The attachment can
    then retrieve (within the security settings of the local zone) the
    content of any local file, and transmit it back to the attacker. The
    attack script, in turn, can retrieve the contents of any local file
    and transmit it back to the attacker. Since the issue is simple to
    exploit, and the issue has still not been addressed, a sample attack
    script is not included in this advisory.

    III. ANALYSIS

    Exploitation could lead to further compromise if the attacker is able
    to retrieve sensitive files such as the Windows SAM table. It is also
    possible for the attacker to obtain other confidential information.
    A secure implementation would involve using a random string within
    the directory structure to prevent this class of attacks (e.g.
    Mozilla e-mail client, etc.).

    IV. DETECTION

    Eudora 5.1.1 and 5.2 are confirmed to be vulnerable; other versions
    may be affected as well.

    To determine susceptibility, send an e-mail with an attachment to a
    test Eudora user. Check if Eudora stores it in the C:\Program
    Files\Qualcomm\Eudora\attach\ directory (assuming a default
    installation).

    V. WORKAROUND

    Change the default location where Eudora stores e-mail attachments.

    VI. VENDOR RESPONSE

    A Eudora Tech Support Specialist provided the following response
    (from head Eudora developer):

    "In rare circumstances, certain ill-formatted MIME boundaries can
    cause Eudora to crash. It is exceedingly unlikely that this problem
    could be exploited to undermine security. The problem will be fixed
    in the next release of Eudora."

    [iDEFENSE note: The response does not address the security
    implications of this advisory. Two attempts were made to change or
    clarify Qualcomm's response; all to no avail.]

    VII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2002-1210 to this issue.

    VIII. DISCLOSURE TIMELINE

    09/12/2002 Issue disclosed to iDEFENSE
    10/14/2002 Qualcomm notified (eudora-custserveudora.com)
    10/14/2002 iDEFENSE clients notified
    10/15/2002 Autoresponse recieved
    10/31/2002 Second attempt at contact
    11/07/2002 Third attempt at contact
    11/08/2002 Vendor response from J. Michael L. (mlreplyqualcomm.com)
    11/10/2002 Clarification request of Vendor Response from iDEFENSE
    11/11/2002 Same response from J. Michael L. (mlreplyqualcomm.com)
    11/12/2002 Second clarification request of Vendor Response from
    iDEFENSE
    11/19/2002 Still no reply for vendor clarification of response
    11/19/2002 Public disclosure

    IX. CREDIT

    Bennett Haselton (bennettpeacefire.org) discovered this
    vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPdrDkkrdNYRLCswqEQJc7QCfSGedu5O28cnm78OE1J1y9LBRwmsAoImw
    bNiGiW0ruhVfLb/5Ek3s8tIg
    =/ojw
    -----END PGP SIGNATURE-----