Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: eudora.htm

Eudora - get any file from a user's hard drive



Vulnerability

    Eudora

Affected

    Eudora till present one

Description

    Magnus Bodin found following.  An attacker may be able to get  any
    file from a users  hard drive if he  can make the recieving  party
    to forward a mail containing a false attachment reference to  this
    local file.

    Magnus submitted this bug to Qualcomm a long time ago (> 4  years)
    but this security problem still persists.

    Eudora pre-parses MIME-messages when storing the mail in the  mbox
    file.  This is done by extracting attachments and storing them  in
    a separate attachment directory.  This is fine, and saves space  -
    although it's  not the  best for  those who  want to archive their
    mail unmodified.

    The problem is that the  attachment is replaced by e.g.  the plain
    text

        Att*chment Converted: "<filepath>"

    on a single  line with no  leading whitespace in  the message body
    where the MIME-part was found. (Read _Attachment_ above)

    An attacker might  therefore be able  to "steal" known  files from
    anywhere  in  the  users  filesystem  by  a  combination  of  this
    problematic implementation and some social skills.

    1. The attacker sends a message to the user containing a line like
       this  (beware  you  who  reads  this  with eudora, you would be
       seeing an icon here)

        Attachment Converted: "c:\pagefile.sys"

       with the path to a known  file that the attacker would like  to
       steal.

       To  make  it  more  real,  he  would  also  include more _real_
       attachments to dim the effect.

    2. In the letter, the receiving user is urged to forward this mail
       to someone maybe to check if the mailsystem works, or for  some
       other reason.

    3. Done.  The local file is attached to the outgoing mail.


    This works  with the  latest stable  (5.0.2) Eudora  Windows.  The
    full file path to  the files are required.   Eudora does NOT  show
    the message as containing attachments  in the mail listning if  it
    only  contains  these  fake  attachments.   This  can of course be
    circumvented just by adding a  real attachment as well.   The mail
    has to be forwarded by the mail recipient.

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH