Remote PGP Outlook Encryption Plug-in Vulnerability 


Release Date: 
July 10, 2002 


Severity: 
High (Remote Code Execution) 


Systems Affected: 
NAI PGP Desktop Security 7.0.4 
NAI PGP Personal Security 7.0.3 
NAI PGP Freeware 7.0.3 


Description: 


The beer is still cold, the days are still long, the exploits still start as 
jokes (this time over a beer with a three letter agency) and the 
advisories... we'll just say, "All of your SCADA are belong to us." 


A vulnerability in the NAI PGP Outlook plug-in can be exploited to remotely 
execute code on any system that uses the NAI PGP Outlook plug-in’s. By 
sending a carefully crafted email the message decoding functionality can be 
manipulated to overwrite various heap structures pertinent to the PGP 
plug-in. 


This vulnerability can be exploited by a user simply selecting a “malicious” 
email, the opening of attachments is not required. When the attack is 
performed against a target system, malicious code will be executed within 
the context of the user receiving the email. This can lead to the compromise 
of the targets machine, as well as their PGP encrypted communications. It 
should also be noted that because of the nature of the SMTP protocol this 
vulnerability can be exploited anonymously. 


Technical Description: 


Exploitation: 


By creating a malformed email we can overwrite a section of heap memory that 
contains various data. By overwriting this section of heap with valid 
addresses of an unused section in the PEB, which is the same across all NT 
systems, we can walk the email parsing and eventually get to something 
easily exploitable: 


CALL DWORD PTR [ecx] 


This pointer addresses references a function pointer list. At the time of 
exploitation, an attacker controlled buffer address is the first item on the 
stack. By overwriting the function pointer list pointer address with the 
address of an Import table, we can call any imported function. Our current 
stack will be passed into the function for parameter use. as is. The first 
item on our stack is an address that points to attacker-controlled data. 


By overwriting the address, with the address of the 
SetUnhandledExceptionFilter() IAT entry, execution will redirect into this 
address when the default exception handler is called, 


After returning from SetUnhandledExceptionFilter() PGP Outlook will fail as 
it crawls back down the call stack, after cycling through the exception list 
it will call the DefaultExceptionFilter, which now contains the address of 
our code. This of course can also be exploited silently using frame 
reconstruction. 


Due to the large size of an example vulnerable email we are not including it 
in our advisory. We will be updating the research section of our website 
with a link to an example email. http://www.eEye.com 


Where do you want your secret key to go today? 


Vendor Status: NAI has worked quickly to safeguard customers against this 
vulnerability. They have released a patch, for the latest versions of the 
PGP Outlook plug-in, to protect systems from this flaw. You may download the 
patch from: 
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp 
Note: This issue does not affect PGP Corporate Desktop users. 


Discover: Marc Maiffret 
Exploitation: Riley Hassell 


Greetings: Kasia, and the hot photographer from Inc Magazine. Phil 
Zimmerman, the godfather of personal privacy, much respect. 


Copyright (c) 1998-2002 eEye Digital Security 
Permission is hereby granted for the redistribution of this alert 
electronically. It is not to be edited in any way without express consent of 
eEye. If you wish to reprint the whole or any part of this alert in any 
other medium excluding electronic medium, please e-mail alert@eEye.com for 
permission. 


Disclaimer 
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties with regard to this information. In no event shall the author 
be liable for any damages whatsoever arising out of or in connection with 
the use or spread of this information. Any use of this information is at the 
user's own risk. 


Feedback 
Please send suggestions, updates, and comments to: 


eEye Digital Security 
http://www.eEye.com 
info@eEye.com