[BMSA-2009-06] Remote code execution in BKAV eOffice
Content-Type: text/plain; charset=US-ASCII
BLUE MOON SECURITY ADVISORY 2009-06
:Title: Remote code execution in BKAV eOffice
:Reporter: Blue Moon Consulting
:Products: eOffice v5.1.5
:Fixed in: --
We could not find out the definitive description for eOffice in English. Th=
is is our own understanding of the application: eOffice is an IMAP email cl=
We have discovered a remote code execution vulnerability in eOffice. The at=
tacker could force an unknowning user to execute arbitrary code.
To exploit this bug, an attacker only needs to send a specially-crafted ema=
il to his targets address. When the victim clicks on the email, malicious =
code will run immediately. From there, the attacker might take full control=
of the machine, or simply cause a Denial of Service.
This vulnerability exists in versions up to 5.1.5. Newer version might also=
Current eOffice users are strongly advised to switch to other email clients=
such as the free Thunderbird, Sylpheed, Outlook Express, or commercial Out=
look in the MS Office suite until the bug has been resolved.
Customers are advised to contact and request a fix directly from the vendor.
Due to negative response in previous report (`<bmsa200806.html>`_), Blue Mo=
on Consulting decided not to report this bug to the vendor but contacted th=
e Vietnam Computer Emergency Response Team -- VNCERT.
August 01, 2009: Initial security alert sent to email@example.com, vncert@=
August 01, 2009: Operation team replied that it would be the point of con=
tact for VNCERT.
August 02, 2009: VNCERT requested proof of vulnerability.
August 02, 2009: Blue Moon Consulting showed and recorded the proof of co=
August 02, 2009: Blue Moon Consulting sent a draft advisory to VNCERT.
August 07, 2009: Blue Moon Consulting showed the proof of concept exploit=
under close observation of VNCERT and Ministry of Information and Communic=
August 09, 2009: Nguyen Minh Duc from BKAV requested us to provide techni=
cal details prior to the emergency meeting called for by VNCERT.
August 10, 2009: Blue Moon Consulting requested to discuss with BKAV at t=
August 10, 2009: Ministry of Information and Communications held an emerg=
ency meeting comprising of representatives from the Ministry, VNCERT, VNISA=
, Blue Moon Consulting, and BKAV to verify the vulnerability in an independ=
ent environment. BKAV refused to attend the meeting.
August 17, 2009: Nguyen Minh Duc asked Blue Moon Consulting to provide mo=
re technical information about the vulnerability based on VNCERTs request.
August 19, 2009: Blue Moon Consulting replied with clear reasons why BKAV=
had voluntarily denied itself from such information. Blue Moon Consulting =
also requested that written request should be made if further assistance wa=
August 24, 2009: Nguyen Minh Duc did not use official communication chann=
el, and therefore was ignored.
September 01, 2009
No exploit code provided.
The information provided in this advisory is provided "as is" without warra=
nty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, ei=
ther express or implied, including the warranties of merchantability and fi=
tness for a particular purpose. Your use of the information on the advisory=
or materials linked from the advisory is at your own risk. Blue Moon Consu=
lting Co., Ltd reserves the right to change or update this notice at any ti=
Nam Nguyen, CISA, CISSP, CSSLP
Blue Moon Consulting Co., Ltd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----