‘Eudora 5.x for Windows Buffer Overflow Vulnerability’

Summary

Eudora developed and distributed by QUALCOMM Inc. is a Mail User Agent running on Windows 95/98/2000/ME/NT 4.0 and MacOS 8.1 or later. Eudora 5.x for Windows contains a buffer overflow vulnerability, which could allow a remote attacker to execute arbitrary code.’

Credit:

‘The information has been provided by Nobuo Miwa LAC.’


Details

Vulnerable systems:
 * Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese]
 * Eudora 5.1.1 for Windows (Sponsored Mode) [English]

The buffer overflow occurs when Eudora receives a message using 139 bytes or more of string as a boundary, which is used to divide a multi-part message into separate parts. In our verification environment, we have found that this could allow arbitrary commands to be executed.

Solution:
You can limit your exposure to this problem by using content filtering software that screen out email messages using 139 bytes or more of string as a boundary.

QUALCOMM Inc. reported that this problem would be fixed in the next release [English].

Livin’ on the EDGE Co., Ltd. reported that this problem would be fixed in Eudora5.1-J for Windows [Japanese] of the next release.

Vendor communication:
6 Jun 2002: We discovered the vulnerability.
6 Jun 2002: We reported the findings to win-eudora-bugs@kuni.co.jp
14 Jun 2002: the findings were reported again to win-eudora-bugs@kuni.co.jp
17 Jun 2002: We contacted QUALCOMM Inc. .
18 Jun 2002: QUALCOMM Inc. sent a reply stating that they had started an investigation of the problem.
3 Jul 2002: We asked QUALCOMM Inc. about the progress of the investigation
19 Jul 2002: We asked QUALCOMM Inc. again about the progress of the investigation
24 Jul 2002: We informed QUALCOMM Inc. about the announcement schedule of this advisory
25 Jul 2002: QUALCOMM Inc. reported that this problem would be fixed in the next release
5 Aug 2002: We decided to disclose this vulnerability due to concern over the potential consequences this issue may cause. win-eudora-bugs@kuni.co.jp has not provided any comments on this issue as of August 5, 2002.
6 Aug 2002: It turns out that connection has not reached Livin’ on the EDGE Co., Ltd. (user support of Japanese version). Livin’ on the EDGE Co., Ltd. reported that this problem would be fixed in the next release immediately.’

Categories: Windows