iDEFENSE Security Advisory 11.19.02b:
http://www.idefense.com/advisory/11.19.02b.txt
Eudora Script Execution Vulnerability
November 19, 2002

I. BACKGROUND

Qualcomm Inc.'s Eudora is a graphical e-mail client for Windows and 
Macintosh. More information about it is available at http://www.eudora.com .

II. DESCRIPTION

Remote exploitation of a weakness in Eudora could allow for the potential 
retrieval of sensitive information from a targeted Eudora user's computer.

Eudora saves e-mail attachments in a predictable location.  Exploitation 
works as such: an attacker sends an e-mail to a Eudora user that 
directs he or she to a specific URL; the e-mail also contains an HTML-
enabled e-mail attachment that contains scripting code. If the user is socially 
engineered into clicking on the link, then a frames page can load the 
attachment in one of its frames. The attachment can then retrieve (within 
the security settings of the local zone) the content of any local file, and 
transmit it back to the attacker. The attack script, in turn, can retrieve the 
contents of any local file and transmit it back to the attacker. Since the issue 
is simple to exploit, and the issue has still not been addressed, a sample 
attack script is not included in this advisory.

III. ANALYSIS

Exploitation could lead to further compromise if the attacker is able to 
retrieve sensitive files such as the Windows SAM table. It is also possible for 
the attacker to obtain other confidential information.  A secure 
implementation would involve using a random string within the directory 
structure to prevent this class of attacks (e.g. Mozilla e-mail client, etc.).

IV. DETECTION

Eudora 5.1.1 and 5.2 are confirmed to be vulnerable; other versions may be 
affected as well.

To determine susceptibility, send an e-mail with an attachment to a test 
Eudora user. Check if Eudora stores it in the C:\Program 
Files\Qualcomm\Eudora\attach\ directory (assuming a default installation). 

V. WORKAROUND

Change the default location where Eudora stores e-mail attachments.

VI. VENDOR RESPONSE

A Eudora Tech Support Specialist provided the following response (from 
head Eudora developer):

"In rare circumstances, certain ill-formatted MIME boundaries can cause 
Eudora to crash. It is exceedingly unlikely that this problem could be 
exploited to undermine security. The problem will be fixed in the next 
release of Eudora."

[iDEFENSE note: The response does not address the security implications of 
this advisory. Two attempts were made to change or clarify Qualcomm's 
response; all to no avail.]

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project 
assigned the identification number CAN-2002-1210 to this issue.

VIII. DISCLOSURE TIMELINE

09/12/2002	Issue disclosed to iDEFENSE
10/14/2002	Qualcomm notified (eudora-custserv@eudora.com)
10/14/2002	iDEFENSE clients notified
10/15/2002	Autoresponse recieved
10/31/2002	Second attempt at contact 
11/07/2002	Third attempt at contact
11/08/2002	Vendor response from J. Michael L. (mlreply@qualcomm.com)
11/10/2002	Clarification request of Vendor Response from iDEFENSE
11/11/2002	Same response from J. Michael L. (mlreply@qualcomm.com)
11/12/2002	Second clarification request of Vendor Response from iDEFENSE
11/19/2002 	Still no reply for vendor clarification of response
11/19/2002	Public disclosure

IX. CREDIT

Bennett Haselton (bennett@peacefire.org) discovered this vulnerability.