Peter Winter-Smith of NGSSoftware has discovered a medium risk vulnerability in PGP Desktop which can allow a remote authenticated attacker to execute arbitrary code on a system on which PGP Desktop is installed. The vulnerability resides within the Windows Service which PGP Desktop installs (which operates under the Local System account), and as such it may be used by any local or remote user (who must be a member of at least the Everyone/ANONYMOUS LOGON groups) to run code with escalated privileges. NGS have not been able to exploit this issue in the context of a NULL session. The details of this issue are as follows: PGP Desktop installs a service (PGPServ.exe/PGPsdkServ.exe) which exposes a named pipe '\pipe\pgpserv' (or '\pipe\pgpsdkserv' for the PGPsdkServ.exe instance). This pipe is the endpoint for an RPC interface (uuid:15cd3850-28ca-11ce-a4e8-00aa006116cb) which takes the following format: [ uuid(15cd3850-28ca-11ce-a4e8-00aa006116cb), version(1.0), implicit_handle(handle_t rpc_binding) ] interface pgpsdkserv { error_status_t Function_00( [in] /* [ignore] void * */ long element_1 ); typedef struct { long element_2; [size_is(element_2)] [unique] byte *element_3; } TYPE_1; error_status_t Function_01( [in] /* [ignore] void * */ long element_4, [in] [size_is(element_6)] byte element_5[*], [in] long element_6, [in] long element_7, [out] [ref] TYPE_1 *element_8 ); } This interface is used to marshall various objects and information between PGP clients (PGP.dll/PGPsdk.dll) and the PGP service. The vulnerability occurs as a result of the fact that the code responsible for processing the objects which are passed over the interface to the service does not perform any kind of validation on these objects, and instead trusts that object data is completely safe in the form that it is received (i.e., absolute pointers are trusted without validation). NGS have discovered that if the following object is passed over the interface as the second parameter to function ordinal 1, an absolute pointer is trusted and executed - easily facilitating arbitrary code execution inside of the PGP service process: /* structure passed over rpc: struct { DWORD **pprgMM; // set as absolute pointer to dwUnknown_1 DWORD dwUnknown_1; // set as absolute pointer to 'rgMM' DWORD dwCount; // set to value 0 DWORD dwFGUB_signature; // set to value 'FGUB' DWORD dwUnknown_2; // set to value 'rgMM' DWORD dwUnknown_3; DWORD dwUnknown_4; DWORD dwUnknown_5; DWORD dwUnknown_6; PBYTE pbFunction; // set to absolute address of shellcode // etc... }; */ This issue has been resolved as of PGP Desktop 9.5.1 and NGS recommend that all users download the updated version from the PGP website: http://www.pgp.com/ NGSSoftware Insight Security Research http://www.ngssoftware.com http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402