[UNIX] PGP Public Key Server DoS and Remote Code Execution

From: support@securiteam.com
Date: 05/26/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 26 May 2002 09:11:47 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PGP Public Key Server DoS and Remote Code Execution
------------------------------------------------------------------------

SUMMARY

 <http://www.mit.edu/people/marc/pks/pks.html> MIT's PKS (Public Key
Server) as been found to contain a buffer overflow that would allow an
attacker to cause it to execute arbitrary code, or in cases that execution
would fail, to cause it to no longer answer legitimate key requests.

DETAILS

Vulnerable systems:
 * PGP Public Key Server version 0.9.4

A long enough (> 256b) search request will crash the service. It is as
simple as this:
  #gpg --search-keys `perl -e "print 'A'x512"`

Or, without gpg,

  #echo -e "GET /pks/lookup?op=index&search=`perl -e "print 'A'x512"`"| nc
keyserver-host 11371

Fortunately in order to cause it to execute code, the provided buffer
should be isalnum() string (is all numbers) and should be able to survive
tolower() conversion (convert to lower case).

ADDITIONAL INFORMATION

The information has been provided by <mailto:rusmir@tula.net> Max.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] LPRng/rhs-printfilters Vulnerability Leads to Remote Execution of Commands
    ... LPRng/rhs-printfilters Vulnerability Leads to Remote Execution of Commands ... Unless the -R option is passed, the example file will execute the command ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: Units, kilo, megga, milli, etc
    ... from the _Bulletin of Pharmacy_, in 1914, which proposes a new ... "American System of Weights and Measures" ... What good is being an executive if you never get to execute anyone? ...
    (alt.usage.english)
  • Revised: Microsoft Security Bulletin - MS02-019
    ... Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute ... This bulletin has been revised. ... commercial product which runs on Windows? ...
    (NT-Bugtraq)
  • user public key authentication
    ... I'm wondering if it is possible to use a public key to authenticate a ... I'm trying to make a program that would allow a user to execute ... a command by using a public key instead of a password. ...
    (microsoft.public.dotnet.security)