Vulnerability Development mailing list archives
Eudora Pro Buffer Overflow testing in progress - help needed.
From: zoa_chien () INAME COM (Zoa_Chien)
Date: Fri, 28 Apr 2000 14:31:47 +0200
I had a quick look at this nice bug in Eudora that caused many vuln-dev subscribers to crash. tested version: 4.2.0.5 If you mail someone a file that has an extension with over 213 chars in it, eudora will crash. You could test it with this filename, _.aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrr _.aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrss ssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLL LLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUWWWWXXXXYYYYZZZZ1111222233334444555566 66777788889999aaAAbbBB the 3334 are the first bytes that overwrite the EIP. Leaving us very little space to execute some arbitrary code. (unless it's possible to send files from non microsoft OS'es that contain even more chars in the extension, that could give us some more room. Just a thought: i guess Eudora first downloads into RAM, and then saves it. This means what is in the attached file should be in ram... maybe you can just link to that in memory and put the executable code in the file itself instead of in the extension. (it might be difficult to find the correct address). If it's not possible to exploit... at least it's a nice DoS. For those who want to check this out: some guidelines for your convenience: - Unclick leave mail on server. - send yourself such a mail - "restore" eudora by deleting the /spool directory in your eudora directory. Enjoy. PS: does anyone have some tutorial on "buffer overflow testing with Softice" ? Anyone willing to post detailed analysis on this ? like that Solar eclipse text on Wordpad some time ago ? thnx.! (i don't have the time nor the knowledge to do so.)
Current thread:
- Re: No-Exec Stack Smashing 101, (continued)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 25)
- Re: No-Exec Stack Smashing 101 M.C.Mar (Apr 26)
- limited functionality accounts (was: Re: History Files) Alex Andrews (Apr 25)
- Re: limited functionality accounts (was: Re: History Files) Rob Kouwenberg (Apr 28)
- Re: No-Exec Stack Smashing 101 Granquist, Lamont (Apr 26)
- long file names in explorer.exe kj (Apr 26)
- Re: long file names in explorer.exe Rory Savage (Apr 28)
- Re: long file names in explorer.exe kj (Apr 28)
- Lotus notes + windows98 overflow Alistair Orchard (Apr 27)
- Blind Remote Buffer Overflow Granquist, Lamont (Apr 27)
- Eudora Pro Buffer Overflow testing in progress - help needed. Zoa_Chien (Apr 28)
- Re: Eudora Pro Buffer Overflow testing in progress - help needed. Blue Boar (Apr 28)
- Re: Blind Remote Buffer Overflow Marc (Apr 28)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (Apr 28)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 28)
- Re: Blind Remote Buffer Overflow Sebastian (Apr 29)
- Re: Blind Remote Buffer Overflow Mark L. Jackson (Apr 29)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Replacing Kernel Functions via a LKM Granquist, Lamont (Apr 27)
- Re: Replacing Kernel Functions via a LKM Dragos Ruiu (Apr 27)