[BMSA-2009-06] Remote code execution in BKAV eOffice

--Signature=_Tue__1_Sep_2009_23_51_52_+0700_0+n=tNessflbDZot
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

BLUE MOON SECURITY ADVISORY 2009-06
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

:Title: Remote code execution in BKAV eOffice
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: eOffice v5.1.5
:Fixed in: --

Description
-----------

We could not find out the definitive description for eOffice in English. Th=
is is our own understanding of the application: eOffice is an IMAP email cl=
ient.

We have discovered a remote code execution vulnerability in eOffice. The at=
tacker could force an unknowning user to execute arbitrary code.

To exploit this bug, an attacker only needs to send a specially-crafted ema=
il to his targets address. When the victim clicks on the email, malicious =
code will run immediately. From there, the attacker might take full control=
 of the machine, or simply cause a Denial of Service.

This vulnerability exists in versions up to 5.1.5. Newer version might also=
 be affected.

Workaround
----------

Current eOffice users are strongly advised to switch to other email clients=
 such as the free Thunderbird, Sylpheed, Outlook Express, or commercial Out=
look in the MS Office suite until the bug has been resolved.

Fix
---

Customers are advised to contact and request a fix directly from the vendor.

Disclosure
----------

Due to negative response in previous report (`<bmsa200806.html>`_), Blue Mo=
on Consulting decided not to report this bug to the vendor but contacted th=
e Vietnam Computer Emergency Response Team -- VNCERT.

:Initial contact:

  August 01, 2009: Initial security alert sent to office@vncert.vn, vncert@=
mpt.gov.vn, vncert@mic.gov.vn

:Co-ordinator response:

  August 01, 2009: Operation team replied that it would be the point of con=
tact for VNCERT.

:Further communication:

  August 02, 2009: VNCERT requested proof of vulnerability.

  August 02, 2009: Blue Moon Consulting showed and recorded the proof of co=
ncept exploit.

  August 02, 2009: Blue Moon Consulting sent a draft advisory to VNCERT.

  August 07, 2009: Blue Moon Consulting showed the proof of concept exploit=
 under close observation of VNCERT and Ministry of Information and Communic=
ations.

  August 09, 2009: Nguyen Minh Duc from BKAV requested us to provide techni=
cal details prior to the emergency meeting called for by VNCERT.

  August 10, 2009: Blue Moon Consulting requested to discuss with BKAV at t=
he meeting.

  August 10, 2009: Ministry of Information and Communications held an emerg=
ency meeting comprising of representatives from the Ministry, VNCERT, VNISA=
, Blue Moon Consulting, and BKAV to verify the vulnerability in an independ=
ent environment. BKAV refused to attend the meeting.

  August 17, 2009: Nguyen Minh Duc asked Blue Moon Consulting to provide mo=
re technical information about the vulnerability based on VNCERTs request.

  August 19, 2009: Blue Moon Consulting replied with clear reasons why BKAV=
 had voluntarily denied itself from such information. Blue Moon Consulting =
also requested that written request should be made if further assistance wa=
s required.

  August 24, 2009: Nguyen Minh Duc did not use official communication chann=
el, and therefore was ignored.

:Public disclosure:

  September 01, 2009

:Exploit code:

  No exploit code provided.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warra=
nty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, ei=
ther express or implied, including the warranties of merchantability and fi=
tness for a particular purpose. Your use of the information on the advisory=
 or materials linked from the advisory is at your own risk. Blue Moon Consu=
lting Co., Ltd reserves the right to change or update this notice at any ti=
me.


--=20
Nam Nguyen, CISA, CISSP, CSSLP
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn

--Signature=_Tue__1_Sep_2009_23_51_52_+0700_0+n=tNessflbDZot
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkqdUSgACgkQbKzcTD214ZeSIwCdETl9ZvEI8v847hvFuiikdR4y
ugIAnj3GVDP3w+6l5c95yOARZYESkELE
=gkE8
-----END PGP SIGNATURE-----

--Signature=_Tue__1_Sep_2009_23_51_52_+0700_0+n=tNessflbDZot--