COMMAND
Eudora
SYSTEMS AFFECTED
Eudora till present one
PROBLEM
Magnus Bodin found following. An attacker may be able to get any
file from a users hard drive if he can make the recieving party
to forward a mail containing a false attachment reference to this
local file.
Magnus submitted this bug to Qualcomm a long time ago (> 4 years)
but this security problem still persists.
Eudora pre-parses MIME-messages when storing the mail in the mbox
file. This is done by extracting attachments and storing them in
a separate attachment directory. This is fine, and saves space -
although it's not the best for those who want to archive their
mail unmodified.
The problem is that the attachment is replaced by e.g. the plain
text
Att*chment Converted: "<filepath>"
on a single line with no leading whitespace in the message body
where the MIME-part was found. (Read _Attachment_ above)
An attacker might therefore be able to "steal" known files from
anywhere in the users filesystem by a combination of this
problematic implementation and some social skills.
1. The attacker sends a message to the user containing a line like
this (beware you who reads this with eudora, you would be
seeing an icon here)
Attachment Converted: "c:\pagefile.sys"
with the path to a known file that the attacker would like to
steal.
To make it more real, he would also include more _real_
attachments to dim the effect.
2. In the letter, the receiving user is urged to forward this mail
to someone maybe to check if the mailsystem works, or for some
other reason.
3. Done. The local file is attached to the outgoing mail.
This works with the latest stable (5.0.2) Eudora Windows. The
full file path to the files are required. Eudora does NOT show
the message as containing attachments in the mail listning if it
only contains these fake attachments. This can of course be
circumvented just by adding a real attachment as well. The mail
has to be forwarded by the mail recipient.
SOLUTION
Nothing yet.