The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 6 Sep 2002 10:54:17 -0700
From: Foundstone Labs <labs@foundstone.com>
To: bugtraq@securityfocus.com
Subject: Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP

Foundstone Labs Advisory - 090502-PCRO

Advisory Name:	Remotely Exploitable Buffer Overflow in PGP
 Release Date:	September 5, 2002
  Application:	PGP Corporate Desktop 7.1.1
    Platforms:	Windows 2000/XP
     Severity:	Remote code execution and plaintext passphrase
disclosure
      Vendors:	PGP Corporation (http://www.pgp.com)
      Authors:	Tony Bettini (tony.bettini@foundstone.com)
CVE Candidate:	CAN-2002-0850
    Reference:	http://www.foundstone.com/advisories

Overview:

In many locations where PGP handles files, the length of the filename is
not
properly checked. As a result, PGP Corporate Desktop will crash if a
user
attempts to encrypt or decrypt a file with a long filename. A remote
attacker
may create an encrypted document, that when decrypted by a user running
PGP,
would allow for remote commands to be executed on the client's computer.

Detailed Description:

A malicious attacker could create a filename containing:
<196 bytes><eip><9 bytes><readable address><29 bytes>

The attacker would then encrypt the file using the public key of the
target user. In many cases, public keys often contain banners of the
utilized PGP client software and its associated version.

The encrypted archive could then be sent to the target user; potentially
via a Microsoft Outlook attachment. The email attachment could have a=20
filename such as "foryoureyesonly.pgp" or "confidential.pgp". When the
unsuspecting user decrypts the archive (either via autodecrypt or
manual), the
overflow will occur if the file within the archive has a long filename.

In some cases the attacker may also obtain the passphrase of the target
user.
PGP crashes immediately after the decryption of the malicious file and
before
the memory containing the passphrase is overwritten.

Vendor Response:

PGP has issued a fix for this vulnerability, it is available at:
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.as
p

Foundstone would like to thank PGP for their cooperation with the
remediation
of this vulnerability.

Solution:

We recommend applying the vendor patch.

Disclaimer:

The information contained in this advisory is copyright (c) 2002=20
Foundstone, Inc. and is believed to be accurate at the time of=20
publishing, but no representation of any warranty is given,=20
express, or implied as to its accuracy or completeness. In no=20
event shall the author or Foundstone be liable for any direct,=20
indirect, incidental, special, exemplary or consequential=20
damages resulting from the use or misuse of this information. =20
This advisory may be redistributed, provided that no fee is=20
assigned and that the advisory is not modified in any way.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
InterReklama Advertizing
Интерреклама. Интернет