[20287] in bugtraq
Eudora file leakage problem (still)
daemon@ATHENA.MIT.EDU (Magnus Bodin)
Wed Apr 18 03:59:25 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010418062355.A12415@bodin.org>
Date: Wed, 18 Apr 2001 06:23:56 +0200
Reply-To: Magnus Bodin <magnus@BODIN.ORG>
From: Magnus Bodin <magnus@BODIN.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In short:
=========
An attacker may be able to get any file from a users hard drive if he can
make the recieving party to forward a mail containing a false attachment
reference to this local file.
----
I remember having submitted this bug to Qualcomm a long time ago (> 4 years)
but this security problem still persists.
Eudora pre-parses MIME-messages when storing the mail in the mbox file. This
is done by extracting attachments and storing them in a separate attachment
directory. This is fine, and saves space - although it's not the best for
those who want to archive their mail unmodified.
The problem is that the attachment is replaced by e.g. the plain text
Att*chment Converted: "<filepath>"
on a single line with no leading whitespace in the message body where the
MIME-part was found. (Read _Attachment_ above)
An attacker might therefore be able to "steal" known files from anywhere in
the users filesystem by a combination of this problematic implementation and
some social skills.
1. The attacker sends a message to the user containing a line like this
(beware you who reads this with eudora, you would be seeing an icon here)
Attachment Converted: "c:\pagefile.sys"
with the path to a known file that the attacker would like to steal.
To make it more real, he would also include more _real_ attachments to
dim the effect.
2. In the letter, the receiving user is urged to forward this mail to
someone maybe to check if the mailsystem works, or for some other reason.
3. Done. The local file is attached to the outgoing mail.
Notes:
======
* Works with the latest stable (5.0.2) Eudora Windows.
* The full file path to the files are required.
* Eudora does NOT show the message as containing attachments in the
mail listning if it only contains these fake attachments. This can
of course be circumvented just by adding a real attachment as well.
* The mail has to be forwarded by the mail recipient.
/magnus
--
http://x42.com/
