exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

eeye.pgp.txt

eeye.pgp.txt
Posted Jul 11, 2002
Authored by Marc Maiffret | Site eEye.com

Eeye Advisory - The NAI PGP Outlook plug-in in NAI PGP Freeware 7.0.3, PGP Personal Security 7.0.3, and PGP Desktop Security 7.0.4 contains a remotely exploitable heap overflow which can lead to code execution. NAI patch available here.

tags | overflow, code execution
SHA-256 | e7216236aa140bde90e0b6a185d4054a32eb6585e3527ebacfa7d3f1141d1b94

eeye.pgp.txt

Change Mirror Download
Remote PGP Outlook Encryption Plug-in Vulnerability

Release Date:
July 10, 2002

Severity:
High (Remote Code Execution)

Systems Affected:
NAI PGP Desktop Security 7.0.4
NAI PGP Personal Security 7.0.3
NAI PGP Freeware 7.0.3

Description:

The beer is still cold, the days are still long, the exploits still start as
jokes (this time over a beer with a three letter agency) and the
advisories... we'll just say, "All of your SCADA are belong to us."

A vulnerability in the NAI PGP Outlook plug-in can be exploited to remotely
execute code on any system that uses the NAI PGP Outlook plug-in’s. By
sending a carefully crafted email the message decoding functionality can be
manipulated to overwrite various heap structures pertinent to the PGP
plug-in.

This vulnerability can be exploited by a user simply selecting a “malicious”
email, the opening of attachments is not required. When the attack is
performed against a target system, malicious code will be executed within
the context of the user receiving the email. This can lead to the compromise
of the targets machine, as well as their PGP encrypted communications. It
should also be noted that because of the nature of the SMTP protocol this
vulnerability can be exploited anonymously.

Technical Description:

Exploitation:

By creating a malformed email we can overwrite a section of heap memory that
contains various data. By overwriting this section of heap with valid
addresses of an unused section in the PEB, which is the same across all NT
systems, we can walk the email parsing and eventually get to something
easily exploitable:

CALL DWORD PTR [ecx]

This pointer addresses references a function pointer list. At the time of
exploitation, an attacker controlled buffer address is the first item on the
stack. By overwriting the function pointer list pointer address with the
address of an Import table, we can call any imported function. Our current
stack will be passed into the function for parameter use. as is. The first
item on our stack is an address that points to attacker-controlled data.

By overwriting the address, with the address of the
SetUnhandledExceptionFilter() IAT entry, execution will redirect into this
address when the default exception handler is called,

After returning from SetUnhandledExceptionFilter() PGP Outlook will fail as
it crawls back down the call stack, after cycling through the exception list
it will call the DefaultExceptionFilter, which now contains the address of
our code. This of course can also be exploited silently using frame
reconstruction.

Due to the large size of an example vulnerable email we are not including it
in our advisory. We will be updating the research section of our website
with a link to an example email. http://www.eEye.com

Where do you want your secret key to go today?

Vendor Status: NAI has worked quickly to safeguard customers against this
vulnerability. They have released a patch, for the latest versions of the
PGP Outlook plug-in, to protect systems from this flaw. You may download the
patch from:
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
Note: This issue does not affect PGP Corporate Desktop users.

Discover: Marc Maiffret
Exploitation: Riley Hassell

Greetings: Kasia, and the hot photographer from Inc Magazine. Phil
Zimmerman, the godfather of personal privacy, much respect.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close