Buffer overflows in the Eureka and Pegasus email clients
The processing of over long POP3 responses from a mail server by the Eureka and Pegasus (PMail) email clients can trigger a buffer overflow that allows attackers to inject and execute malicious code. For an attack to be successful, however, the victim has to connect to a specially crafted mail server. Pegasus Mail 4.5x and Eureka Mail 2.2q (under Windows XP SP2) are affected. It's probable their respective predecessors are also affected.
Francis Provencher, who discovered the holes, has published exploits for each client in his reports. While the Pegasus exploit reportedly only triggers a program crash, the exploit for Eureka is said to allow shell code execution.
No updates to close the holes have been made available. Nevertheless, the users of old PMail versions are advised to update to version 4.51, because, as security specialist Secunia reports, this version was translated using the /GS compiler option. While this isn't enough to prevent the buffer overflow under Windows XP SP2, the system will at least detect the attempted attack and kill the relevant process.
- Pegasus Mail client BoF, security advisory from Francis Provencher.
- Eureka Mail client BoF, security advisory from Francis Provencher.