TITLE: Pegasus Mail Buffer Overflow and Off-by-One Vulnerabilities SECUNIA ADVISORY ID: SA17992 VERIFY ADVISORY: http://secunia.com/advisories/17992/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Pegasus Mail for 32-bit Windows Systems 4.x http://secunia.com/product/5565/ DESCRIPTION: Secunia Research has discovered two vulnerabilities in Pegasus Mail, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists when using the reply from a POP3 server to construct trace messages that are displayed to the user if an error occurs when downloading emails. This can be exploited to cause a stack-based buffer overflow via an overly long POP3 reply. Successful exploitation allows arbitrary code execution but requires that the user is e.g. tricked into connecting to a malicious POP3 server. 2) An off-by-one error exists when displaying the RFC2822 message headers of an email to the user. This can be exploited to overwrite the least significant byte of the saved EBP via a email message header that is 1022 bytes or longer. This allows code execution on a Windows XP system. Successful exploitation requires that the user is e.g. tricked into viewing the headers of a malicious email via the "Message headers..." menu item in the context menu of the email message. The vulnerabilities have been confirmed in version 4.21c and 4.30PB1 (Public Beta 1), and also affects version 4.21a and 4.21b. SOLUTION: Update to version 4.31. http://www.pmail.com/downloads_de_t.htm PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong, Secunia Research. ORIGINAL ADVISORY: Pegasus Mail: http://www.pmail.com/newsflash.htm#secunia Secunia Research: http://secunia.com/secunia_research/2005-61/advisory/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------