[NT] Remotely Exploitable Buffer Overflow in PGP
From: support@securiteam.comDate: 09/08/02
- Previous message: support@securiteam.com: "[EXPL] KSTAT (and Maybe Others) Bypass (Phantasmagoria)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 8 Sep 2002 22:59:25 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Remotely Exploitable Buffer Overflow in PGP
------------------------------------------------------------------------
SUMMARY
In many locations where PGP handles files, the length of the filename is
not properly checked. As a result, PGP Corporate Desktop will crash if a
user attempts to encrypt or decrypt a file with a long filename. A remote
attacker may create an encrypted document, that when decrypted by a user
running PGP, would allow remote commands to be executed on the client's
computer.
DETAILS
Vulnerable systems:
* PGP Corporate Desktop version 7.1.1
A malicious attacker could create a filename containing:
<196 bytes><eip><9 bytes><readable address><29 bytes>
The attacker would then encrypt the file using the public key of the
target user. In many cases, public keys often contain banners of the
utilized PGP client software and its associated version.
The encrypted archive could then be sent to the target user; potentially
via a Microsoft Outlook attachment. The email attachment could have a
filename such as "foryoureyesonly.pgp" or "confidential.pgp". When the
unsuspecting user decrypts the archive (either via autodecrypt or manual),
the overflow will occur if the file within the archive has a long
filename.
In some cases, the attacker may also obtain the pass phrase of the target
user. PGP crashes immediately after the decryption of the malicious file
and before the memory containing the pass phrase is overwritten.
Vendor Response:
PGP has issued a fix for this vulnerability, it is available at:
<http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp> http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
Foundstone would like to thank PGP for their cooperation with the
remediation of this vulnerability.
Solution:
We recommend applying the vendor patch.
ADDITIONAL INFORMATION
The information has been provided by <mailto:tony.bettini@foundstone.com>
Tony Bettini of Foundstone.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] KSTAT (and Maybe Others) Bypass (Phantasmagoria)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
