TUCoPS :: Security App Flaws :: m-098.txt

PGP Outlook Encryption Plug-in Vulnerability (CIAC M-098)

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                  PGP Outlook Encryption Plug-in Vulnerability
                  [eEye Digital Security Advisory AD20020710]

July 11, 2002 20:00 GMT                                           Number M-098
______________________________________________________________________________
PROBLEM:       A vulnerability in the NAI PGP Outlook plug-in can be exploited 
               to remotely execute code on any system that uses the plug-in. 
               By sending a carefully crafted email, the message decoding 
               functionality can be manipulated to overwrite various heap 
               structures pertinent to the PGP plug-in. 
SOFTWARE:      NAI PGP Desktop Security 7.0.4
               NAI PGP Personal Security 7.0.3
               NAI PGP Freeware 7.0.3 
DAMAGE:        When the attack is performed against a target system, malicious 
               code will be executed within the context of the user receiving 
               the email. This can lead to the compromise of a target machine 
               and its PGP encrypted communications. 
SOLUTION:      Apply NAI's patch as prescribed by eEye's bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Exploitation of this vulnerability may lead 
ASSESSMENT:    to remote execution of code on any system that uses the NAI PGP 
               Outlook plug-ins. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-098.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.eeye.com/html/Research/Advisories/AD20020710.html 
 PATCHES:                                                                     
                     http://www.nai.com/naicommon/download/upgrade/patches/
                             patch-pgphotfix.asp 
______________________________________________________________________________

[***** Start eEye Digital Security Advisory AD20020710 *****]

Remote PGP Outlook Encryption Plug-in Vulnerability

Release Date:
July 10, 2002

Severity:
High (Remote Code Execution)

Systems Affected:
NAI PGP Desktop Security 7.0.4
NAI PGP Personal Security 7.0.3
NAI PGP Freeware 7.0.3

Description:

The beer is still cold, the days are still long, the exploits still start as
jokes (this time over a beer with a three letter agency) and as for the
advisories... we'll just say: "All of your SCADA are belong to us". (If you do
not get this quote, do not worry. And yes, the bad grammar is intentional.)

A vulnerability in the NAI PGP Outlook plug-in can be exploited to remotely
execute code on any system that uses the NAI PGP Outlook plug-ins. By sending a
carefully crafted email, the message decoding functionality can be manipulated
to overwrite various heap structures pertinent to the PGP plug-in.

This vulnerability can be exploited by the Outlook user simply selecting a
"malicious" email, the opening of an attachment is not required. When the attack
is performed against a target system, malicious code will be executed within the
context of the user receiving the email. This can lead to the compromise of the
target's machine, as well as their PGP encrypted communications. Also, it should
be noted that because of the nature of the SMTP protocol this vulnerability can
be exploited anonymously.

Technical Description/Exploitation:

By creating a malformed email we can overwrite a section of heap memory that
contains various data. By overwriting this section of heap with valid addresses of
an unused section in the PEB, which is the same across all NT systems, we can walk
the email parsing and eventually get to something easily exploitable:

CALL DWORD PTR [ecx]

This pointer address references a function pointer list. At the time of exploitation,
an attacker controlled buffer address is the first item on the stack. By overwriting
the function pointer list pointer address with the address of an Import table, we can
call any imported function. Our current stack will be passed into the function for
parameter use. The first item on our stack is an address that points to
attacker-controlled data.

By overwriting the address with the address of the SetUnhandledExceptionFilter()
IAT entry, execution will redirect into this address when the default exception handler
is called.

After returning from SetUnhandledExceptionFilter() PGP, Outlook will fail as it crawls
back down the call stack. After cycling through the exception list it will call the
DefaultExceptionFilter, which now contains the address of our code. This can also be
exploited silently using frame reconstruction.

Due to the large size of a vulnerable email, we are not including an example in our
advisory. We will be updating the research section of this website with a link to an
example email.

Where do you want your secret key to go today?

Vendor Status:

NAI has worked quickly to safeguard customers against this vulnerability. They have
released a patch for the latest versions of the PGP Outlook plug-in to protect
systems from this flaw. Users can download the patch from:
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
Note: This issue does not affect PGP Corporate Desktop users.

Credit:
Discover: Marc Maiffret
Exploitation: Riley Hassell

Greetings:
Kasia, and the hot photographer from Inc Magazine. Phil Zimmerman, the godfather of
personal privacy - much respect.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically.
It is not to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium excluding electronic
medium, please e-mail alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information
constitutes acceptance for use in an AS IS condition. There are NO warranties with
regard to this information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

[***** End eEye Digital Security Advisory AD20020710 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of eEye Digital Security for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-088: MS Unchecked Buffer in Gopher Protocol Handler
M-089: MS Heap Overrun in HTR Chunked Encoding  Vulnerability
M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability
M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability
M-092: Cisco Buffer Overflow in UNIX VPN Client
M-093: Apache HTTP Server Chunk Encoding Vulnerability
M-094: Microsoft SQL Server 2000 OpenDataSource Buffer Overflow
M-095: OpenSSH Challenge Response Vulnerabilities
M-096: Microsoft Windows Media Player Vulnerabilities
M-097: Cisco ACS Acme.server traversal Vulnerability


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH