Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:15148
HistoryAug 17, 1999 - 12:00 a.m.

eudoraurl.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
31
JSON
`Date: Fri, 7 Aug 1998 13:40:54 -0400  
From: "Stout, Bill" <[email protected]>  
Subject: Eudora executes (Java) URL  
  
Eudora Pro 4.0 and 4.0.1 will execute Java from a URL.  
  
"The Eudora flaw came to light just a little more than a week after security  
researchers announced a similar problem in versions of Microsoft's Outlook  
and Outlook Express e-mail programs and in Netscape's Mail program. The  
Eudora vulnerability was brought to light earlier this week by Richard M.  
Smith, president of Phar Lap Software, a Cambridge, Mass.-based maker of  
operating system software and products for Microsoft's MS-DOS, the operating  
system that predated Windows."  
http://www.mercurycenter.com/premium/business/docs/internet07.htm  
  
"You may have read recently that there is potential for unauthorized  
programs to be run on your system through the use of hostile Java scripts  
and/or applets. This problem affects users of Eudora Pro Email 4.0 and  
4.0.1, as well as Eudora Pro CommCenter 4.0 and 4.0.1. Note that Eudora  
Light users and users of previous versions of Eudora Pro are not susceptible  
to these Java attacks..." http://eudora.qualcomm.com/security.html  
  
Bill Stout  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 Aug 1998 15:12:02 -0700  
From: "John D. Hardin" <[email protected]>  
Subject: Re: Eudora executes (Java) URL  
  
On Fri, 7 Aug 1998, Stout, Bill wrote:  
  
> Eudora Pro 4.0 and 4.0.1 will execute Java from a URL.  
>  
> "The Eudora flaw came to light just a little more than a week after  
> security researchers announced a similar problem in versions of  
> Microsoft's Outlook and Outlook Express e-mail programs and in  
> Netscape's Mail program. The Eudora vulnerability was brought to light  
> earlier this week by Richard M. Smith, president of Phar Lap Software, a  
> Cambridge, Mass.-based maker of operating system software and products  
> for Microsoft's MS-DOS, the operating system that predated Windows."  
> http://www.mercurycenter.com/premium/business/docs/internet07.htm  
>  
> "You may have read recently that there is potential for unauthorized  
> programs to be run on your system through the use of hostile Java  
> scripts and/or applets. This problem affects users of Eudora Pro Email  
> 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and 4.0.1. Note that  
> Eudora Light users and users of previous versions of Eudora Pro are not  
> susceptible to these Java attacks..."  
> http://eudora.qualcomm.com/security.html  
>  
> Bill Stout  
  
Actually there were rumbles about this on bugtraq as far back as February.  
I remember because it prompted me to add active-HTML tag mangling to my  
procmail filter set.  
  
BTW, just in case you haven't heard yet,  
  
<PLUG TYPE="shameless">  
Drop by http://www.wolfenet.com/~jhardin/procmail-security.html  
</PLUG>  
  
Comments solicited.  
  
--  
John Hardin KA7OHZ [email protected]  
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5  
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76  
-----------------------------------------------------------------------  
Your mouse has moved. Windows NT must be restarted for the change  
to take effect. Reboot now? [ OK ]  
-----------------------------------------------------------------------  
79 days until Daylight Savings Time ends  
  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 Aug 1998 16:03:24 -0500  
From: Aleph One <[email protected]>  
Subject: Re: Eudora security bug - executes URL  
  
On Fri, 7 Aug 1998, Stout, Bill wrote:  
  
> > Problem is the way Eudora 4x interacts with MSIE 4x and javascript.  
>  
> Please detail that on the list, since many of us can't enter NYT. Maybe  
> Aleph One can also expand on that. I would expect that any program with  
> integrated Internet capability would have similar security problems.  
  
Note: I had no access to the exploit for this vulnerability so I have not  
clue if this is really how it works. Its also been over a month since I  
looked at the IE HTML control and my memory is not the best. I do not  
consider myself a Windows programmer. Finally, I don't have the time to  
test this conjectures. Adam Shostack was the person that made me aware of  
the potential problems of using the MS HTML component.  
  
As far as I can tell the problem is that Eudora fails to turn off  
JavaScript/Java when displaying HTML messages with the IE HTML components.  
  
As you may or may not know, IE is little more than a wrapper around the MS  
HTML rendering component. Many other vendors, including Qualcomm, find it  
easy to reuse this component to display HTML instead of having to write  
their own HTML rendering engine or to license one from a third party.  
The HTML components has many options, including whether to turn on or off  
things like Java/JavaScript.  
  
In essence the exploit send a HTML email message to the user with an  
executable attached to it. The message has a link in it that executes  
some JavaScript (I am assuming onClick, I dont know why they would not use  
onLoad instead and do away with having to client on anything) which in  
turn executed the attached file.  
  
The are no security checks performed as this is a local file and is  
trusted.  
  
It should be noted that any products using the HTML component may also  
fail to turn of things like Java and JavaScript and may be vulnerable  
to similar attacks.  
  
Aleph One / [email protected]  
http://underground.org/  
KeyID 1024/948FD6B5  
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01  
  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 Aug 1998 20:29:40 -0400  
From: Steve Bellovin <[email protected]>  
Subject: Re: Eudora security bug - executes URL  
  
In message <[email protected]>, Aleph  
...  
  
> As you may or may not know, IE is little more than a wrapper around the MS  
> HTML rendering component. Many other vendors, including Qualcomm, find it  
> easy to reuse this component to display HTML instead of having to write  
> their own HTML rendering engine or to license one from a third party.  
> The HTML components has many options, including whether to turn on or off  
> things like Java/JavaScript.  
>  
....  
>  
> The are no security checks performed as this is a local file and is  
> trusted.  
>  
> It should be noted that any products using the HTML component may also  
> fail to turn of things like Java and JavaScript and may be vulnerable  
> to similar attacks.  
  
This is a crucial point. The exploit is a direct result of Microsoft's  
decision to merge, as much as possible, the desktop and the Net.  
That's a laudable idea, in many ways, and the navigation concepts are  
similar. But there is a crucial difference in trustworthiness, and  
the Microsoft notion depends on (a) perfect bookkeeping, and (b) perfect  
entry points. The .LNK failure in IE4 was an example of how (a) failed;  
the Eudora problem illustrates a failure of (b). Both notions are  
fatally flawed, in that they require far too much trust in far too many  
pieces of code.  
  
I should note that (a)-type failures have been seen in many other cases,  
notably sendmail. Sendmail treats program execution as a an address;  
for security, it tries to restrict it to alias expansion. But that  
means that every place an address can appear must check to ensure that  
it isn't program delivery. Of course, there are so many different  
places that addresses can appear that it was inevitable that not all  
of them would be checked -- and we've seen the results many different  
times. By contrast, the upas mailer developed at Bell Labs circa 1984  
does execution as part of local delivery. Addresses per se cannot refer  
to programs, even by alias expansion. And no, that wasn't an accident;  
it was a deliberate design decision by Dave Presotto.  
  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 Aug 1998 11:32:56 -0700  
From: Anthony Roybal <[email protected]>  
Subject: Re: New Eudora bug ?  
  
Here is Qualcomm's alert from:  
  
<http://eudora.qualcomm.com/security.html>  
  
Anthony  
  
  
Eudora Pro Security Alert  
  
You may have read recently that there is potential for unauthorized  
programs to be run on your system through the use of hostile Java scripts  
and/or applets. This problem affects users of the Windows versions of  
Eudora Pro Email 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and  
4.0.1. Note that Eudora Light users, users of previous versions of Eudora  
Pro, and Macintosh users are not susceptible to these Java attacks.  
  
QUALCOMM became aware of this problem yesterday (8/6/98) and will be  
offering an updater for Windows Eudora Pro and CommCenter 4.0.1 and 4.0  
within the next few hours that addresses these issues and will prevent  
these types of attacks. QUALCOMM will also make available a new Eudora Pro  
4.1 beta that contains these fixes by Friday afternoon Pacific Standard  
Time.  
  
Until the new software is posted, you can protect yourself by turning off  
the Microsoft viewer from within Eudora. To do this, follow these steps:  
  
1.In Eudora, go to the Tools menu and choose "Options". 2.On the left hand  
side of the options window, select "Viewing Mail" 3.On the right hand side  
of the options window, make sure the box next to "Use Microsoft's viewer"  
is UNCHECKED.  
4.Click on "OK" on the bottom of the window.  
  
Eudora Pro Email, Eudora Pro CommCenter and Eudora Light are not  
susceptible to buffer overflow security problem  
  
QUALCOMM rigorously tested its line of Eudora email software after becoming  
aware of the buffer overflow security problems recently found in Microsoft  
and Netscape email programs. QUALCOMM is pleased to announce that its  
Eudora email products are not susceptible to the types of attacks that can  
harm the computers of users of these other products.  
  
QUALCOMM tested Eudora Pro and Eudora CommCenter versions 4.0, as well as  
Eudora Pro and Eudora Light versions 3.0 on both the Windows and Macintosh  
platforms. In all cases, Eudora does not allow any unauthorized programs to  
be automatically executed on a user's system.  
  
  
  
At 6:19 PM +0200 8/7/98, Patrick Oonk wrote regarding "New Eudora bug ?":  
  
> http://www.nytimes.com/library/tech/98/08/biztech/articles/07email-code.html  
>  
> SAN FRANCISCO -- Just days after a serious security flaw was revealed in two  
> popular electronic mail programs, an equally troubling vulnerability has been  
> discovered in Eudora, the most widely used of all e-mail software.  
>  
> The Eudora flaw makes it possible for a malicious computer user with  
>little or  
> no programming expertise to booby-trap an e-mail message by inserting a  
> seemingly harmless link to an Internet location that in fact executes  
> malignant code. This could permit an attacker to destroy or steal data or to  
> otherwise tamper with a personal computer.  
  
--  
Anthony Roybal  
Information Systems & Technology  
University of California at Berkeley  
  
<mailto:[email protected]>  
<http://socrates.Berkeley.EDU/~ar>  
  
  
-------------------------------------------------------------------------  
  
Date: Sat, 8 Aug 1998 01:35:42 -0700  
From: "John D. Hardin" <[email protected]>  
Subject: Re: Eudora executes (Java) URL  
  
On Fri, 7 Aug 1998, John D. Hardin wrote:  
  
> Actually there were rumbles about this on bugtraq as far back as February.  
> I remember because it prompted me to add active-HTML tag mangling to my  
> procmail filter set.  
>  
> BTW, just in case you haven't heard yet,  
>  
> <PLUG TYPE="shameless">  
> Drop by http://www.wolfenet.com/~jhardin/procmail-security.html  
> </PLUG>  
>  
> Comments solicited.  
  
In the filter that attempts to sanitize <BODY ONLOAD="exploit"> tags, the  
following Perl regular expression occurs:  
  
s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1 DEFANGED-ONLOAD/gi;  
  
Dick St. Peters <[email protected]> reports that on SunOS 4.1.3 +  
Perl 5.004 this RE never exits, leading to massive system loads when mail  
containing HTML is being processed.  
  
I have confirmed it works properly under Linux 2.0.33 + Perl 5.004_01,  
SunOS 4.1.4 + Perl 5.004_04 and Alpha OSF/1 V3.0 + Perl 5.004_04.  
  
Can anyone confirm these results?  
  
I have modified the released kit to use a simpler RE by default and offer  
this as an alternative after testing.  
  
If anybody else experiences a problem with this RE, either update to the  
current kit or delete the offending line from the HTML filter perl script.  
  
--  
John Hardin KA7OHZ [email protected]  
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5  
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76  
-----------------------------------------------------------------------  
Your mouse has moved. Windows NT must be restarted for the change  
to take effect. Reboot now? [ OK ]  
-----------------------------------------------------------------------  
78 days until Daylight Savings Time ends  
  
  
`
JSON