[SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability
From: snsadv@lac.co.jpDate: 08/05/02
- Previous message: Florian Weimer: "RUS-CERT Advisory 2002-08:02: Flaw in calloc and similar routines"
- Next in thread: Hack Hawk: "Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability"
- Reply: Hack Hawk: "Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability"
- Reply: Kanatoko: "Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 05 Aug 2002 15:24:25 +0900 From: snsadv@lac.co.jp To: bugtraq@securityfocus.com
----------------------------------------------------------------------
SNS Advisory No.55
Eudora 5.x for Windows Buffer Overflow Vulnerability
Problem first discovered: 6 Jun 2002
Published: 5 Aug 2002
----------------------------------------------------------------------
Overview:
---------
Eudora 5.x for Windows contains a buffer overflow vulnerability,
which could allow a remote attacker to execute arbitrary code.
Problem Description:
--------------------
Eudora developed and distributed by QUALCOMM Inc.
(http://www.qualcomm.com/), is a Mail User Agent running on Windows
95/98/2000/ME/NT 4.0 and MacOS 8.1 or later.
The buffer overflow occurs when Eudora receives a message using a long
string as a boundary, which is used to divide a multi-part message into
separate parts. In our verification environment, we have found that
this could allow arbitrary commands to be executed.
Tested Version:
---------------
Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese]
Eudora 5.1.1 for Windows (Sponsored Mode) [English]
Tested OS:
----------
Microsoft Windows 2000 Professional SP2 [Japanese]
Microsoft Windows 98 SE [Japanese]
Solution:
---------
The problem will be fixed in the next release of Eudora.
The vendor has not reported when the next release will be available.
Communication background:
-------------------------
6 Jun 2002 : We discovered the vulnerability.
6 Jun 2002 : We reported the findings to Livin' on the EDGE Co., Ltd.
(user support of Japanese version) .
14 Jun 2002 : the findings were reported again to Livin' on the EDGE Co.,
Ltd. .
17 Jun 2002 : We contacted QUALCOMM Inc. .
18 Jun 2002 : QUALCOMM Inc. sent a reply stating that they had started an
investigation of the problem.
3 Jul 2002 : We asked QUALCOMM Inc. about the progress of the
investigation
19 Jul 2002 : We asked QUALCOMM Inc. again about the progress of the
investigation
24 Jul 2002 : We informed QUALCOMM Inc. about the announcement schedule
of this advisory
25 Jul 2002 : QUALCOMM Inc. reported that this problem will be fixed in
the next release
5 Aug 2002 : We decided to disclose this vulnerability due to concern
over the potential consequences this issue may cause.
Livin' on the EDGE Co., Ltd. has not provided any comments
on this issue as of August 5, 2002.
Discovered by:
--------------
Nobuo Miwa (LAC / n-miwa@lac.co.jp)
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
- Previous message: Florian Weimer: "RUS-CERT Advisory 2002-08:02: Flaw in calloc and similar routines"
- Next in thread: Hack Hawk: "Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability"
- Reply: Hack Hawk: "Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability"
- Reply: Kanatoko: "Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
