TUCoPS :: Windows Apps :: win5670.htm

PGP Remote Code Exec, Plaintext Passphrase disc.
9th Sep 2002 [SBWID-5670]
COMMAND

	
		PGP Remote code execution and plaintext passphrase disclosure
	
	

SYSTEMS AFFECTED

	
		PGP Corporate Desktop 7.1.1
	
	

PROBLEM

	
		In     Tony     Bettini      [tony.bettini@foundstone.com]      advisory
		[http://www.foundstone.com/advisories] :
		

		Foundstone Labs Advisory - 090502-PCRO

		

		Advisory Name:	Remotely Exploitable Buffer Overflow in PGP

		 Release Date:	September 5, 2002

		  Application:	PGP Corporate Desktop 7.1.1

		    Platforms:	Windows 2000/XP

		     Severity:	Remote code execution and plaintext passphrase disclosure

		      Vendors:	PGP Corporation (http://www.pgp.com)

		      Authors:	Tony Bettini (tony.bettini@foundstone.com)

		      CVE Candidate:	CAN-2002-0850

		      Reference:	http://www.foundstone.com/advisories

		

		Overview:
		

		In many locations where PGP handles files, the length  of  the  filename
		is not properly checked. As a result, PGP Corporate Desktop  will  crash
		if a user attempts to encrypt or decrypt a file with a long filename.  A
		remote attacker may create an encrypted document,  that  when  decrypted
		by a user running PGP, would allow for remote commands  to  be  executed
		on the client's computer.
		

		Detailed Description:
		

		A malicious attacker could create a filename containing:
		

		<196 bytes><eip><9 bytes><readable address><29 bytes>

		

		The attacker would then encrypt the file using the  public  key  of  the
		target user. In many cases, public keys often  contain  banners  of  the
		utilized PGP client software and its associated version.
		

		The  encrypted  archive  could  then  be  sent  to  the   target   user;
		potentially via a Microsoft Outlook  attachment.  The  email  attachment
		could   have   a   filename    such    as    "foryoureyesonly.pgp"    or
		"confidential.pgp". When the  unsuspecting  user  decrypts  the  archive
		(either via autodecrypt or manual), the overflow will occur if the  file
		within the archive has a long filename.
		

		In some cases the attacker may also obtain the passphrase of the  target
		user. PGP crashes immediately after  the  decryption  of  the  malicious
		file and before the memory containing the passphrase is overwritten.
	
	

SOLUTION

	
		Vendor Response:
		

		PGP has issued a fix for this vulnerability, it is available at:
		

		http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp

		

		Foundstone would like to  thank  PGP  for  their  cooperation  with  the
		remediation of this vulnerability.
		

		Solution:
		

		We recommend applying the vendor patch.
		

		Disclaimer:
		

		The information contained in this advisory is copyright (c) 2002

		Foundstone, Inc. and is believed to be accurate at the time of

		publishing, but no representation of any warranty is given,

		express, or implied as to its accuracy or completeness. In no

		event shall the author or Foundstone be liable for any direct,

		indirect, incidental, special, exemplary or consequential

		damages resulting from the use or misuse of this information.

		This advisory may be redistributed, provided that no fee is

		assigned and that the advisory is not modified in any way.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH