pgp4pine stack overflow vulnerability
From: Eric AUGE (eric.auge@cw.com)
Date: 03/12/03
- Previous message: Torsten Mueller: "Re: QPopper 4.0.x buffer overflow vulnerability"
- Next in thread: Jacek Lipkowski: "Re: [VulnWatch] pgp4pine stack overflow vulnerability"
- Reply: Jacek Lipkowski: "Re: [VulnWatch] pgp4pine stack overflow vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Mar 2003 16:52:36 +0100 (CET) From: Eric AUGE <eric.auge@cw.com> To: bugtraq@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Following informations:
I Background:
pgp4pine is a mail encryption/decryption/signature/verification wrapper
to gpg for pine, it is called from pine to parse mail body and get PGP
information from the file.
more information : http://pgp4pine.flatline.de/
II Problem description:
When installed/configured within pine, pgp4pine parse any incoming mail
before reading (in the default standard configuration) looking for
PGP tokens & informations to do his sender's signature verifications.
To verify incoming mail it calls :
menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
and read each line according to this loop :
[...]
char readline[CONSOLE_IO_LINE_LENGTH];
(where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
[...]
do {
fertig=0;
while (!fertig)
{
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
else if ((readline[i++]=c) == '\n')
{
readline[i]='\0';
fertig=1;
}
}
fertig=0;
if (strncmp("-----BEGIN PGP SIGNED",readline,20)==0)
{
/* got signed message */
fclose(fin);
while (fileVerify(inFile,outFile) > 0); /* =1: Repeat */
fertig=1;
}
else if (strncmp("-----BEGIN PGP",readline,14)==0)
{
/* got another type of PGP message (encrypted, keys ...) */
fclose(fin);
fileDecrypt(inFile,outFile);
waitForReturn();
fertig=1;
}
else
i=0; /* Got waste line, reset i */
} while (!fertig);
[...]
If a single line go over 256 chars directly to EOF,
it will overwrite saved environnement on the stack and return,
since there is no check on the index 'i' within the readline[] array,
[...]
}
else if ((readline[i++]=c) == '\n')
{
[...]
you can can go over CONSOLE_IO_LINE_LENGTH and replace necessary
saved registers before hiting one condition to return.
[...]
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
[...]
then try:
rival@bones ~/dev/test/pgp4pine-ex $ echo `perl -e 'print "A"x500'` > testmail
rival@bones ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
[...]
Segmentation fault (core dumped)
rival@bones ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
[...]
Core was generated by `./pgp4pine-vuln -d -i testmail'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb)
Here it is ;)
III Impact
Since pgp4pine process any incoming email, sending special crafted email
can make sender execute arbitrary code on the recipient box when the
mail is opened.
IV Workaround/Solutions
Deactivate pgp4pine and use another pgp wrapper for pine :
http://pgpenvelope.sourceforge.net/
http://www.megaloman.com/~hany/software/pinepgp/stable.html
or any other...
author holger@flatline.de has been contacted since 01/2003
no reply since :/
V Proof of concept
Attached proof of concept code, for any informations read the source.
Best Regards,
- ---
Eric AUGE.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+b1fGL/U5psk9l1gRAr1RAJ4pnFriwS073R3fEcGp+1nMF4Q58gCfdLAK
3aY03iuZQPfonSiyaqa5/Co=
=zirR
-----END PGP SIGNATURE-----
- TEXT/PLAIN attachment: mailex-gen.c
- Previous message: Torsten Mueller: "Re: QPopper 4.0.x buffer overflow vulnerability"
- Next in thread: Jacek Lipkowski: "Re: [VulnWatch] pgp4pine stack overflow vulnerability"
- Reply: Jacek Lipkowski: "Re: [VulnWatch] pgp4pine stack overflow vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
