'Eudora Pro & Outlook Overflow - too long filenames again'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Eudora Pro & Outlook Overflow - too long filenames again
From:       Ultor <Ultor () HERT ! ORG>
Date:       2000-05-15 12:56:00
[Download message RAW]


==== APPLICATIONS AFFECTED

Qualcomm Eudora Pro (all versions)
Outlook Express 4.*
Microsoft Outlook 98

Eudora Light and Outlook Express 5.0 are NOT affected

==== DESCRIPTION

These e-mail/news programs improperly handle filenames of files attached in
e-mails. Too long filename can result in a buffer overflow condition when
the program processes the attachment and tries to save the temporary file.

As the reader generally processes the attachments when the user reads the
message, the buffer overflow condition can be initiated.

In Outlook if filename got graphic file extension then the buffer overflow
condition can be initiated when trying to view the message (my last post on
BUGTRAQ) if not then overflow will occur if user will try to save/open
attached file.

In Eudora Pro e-mail is processed while downloading mail from server so
buffer overflow occurs when message is processed from spool directory. This
can even lock e-mail account for the Eudora Pro users. As i know same
problem is in Microsoft Outlook 98 version.

==== EXAMPLE

Example Outlook e-mails are attached with this message (sorry to all Eudora
Pro
users for latest problems).

==== EXPLOITATION

possible ... have fun =)

==== PATCHES

If you use Outlook 98 or 4.* then change it on 5.* version. If you like
Eudora style then use Eudora Light or wait for Eudora Pro patches.

PS. In my opinion saving temporary files with same filenames as files
attached in e-mail is very lame. They should use random filenames.

==== CREDITS

Greetz for notice that Eudora Pro is vulnerable for same bug as Outlook to:

Felicia Catherine Kaye <feline@feline.pp.se>
Michael Smith <mike@icon.co.za>

Greeetz to HERT,Lam3rZ,TESO

----------------------
Mark Bialoglowy [Ultor@hert.org] --- Network Security Consultant
Age: 19 -- Country: PL -- PGP: http://www.hert.org/pgp/Ultor.asc
CODE: C / Delphi / w32asm / Linux / SQL / CGI / HTML / VRML / AI
----------------------

["lfilename_bug.zip" (application/x-zip-compressed)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About MARC | Support MARC | Got a list to add? | Sponsored by 10East and KoreLogic