__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Remotely Exploitable Buffer Overflow in PGP [Foundstone Labs Advisory - 090502-PCRO] September 9, 2002 19:00 GMT Number M-122 ______________________________________________________________________________ PROBLEM: In many locations where PGP handles files, the length of the filename is not properly checked. As a result, PGP Corporate Desktop will crash if a user attempts to encrypt or decrypt a file with a long filename PLATFORM: Windows 2000/XP APPLICATION: PGP Corporate Desktop 7.1.1 DAMAGE: By decrpyting the encryted archive, a buffer overflow could occur leading to the execution of remote commands. SOLUTION: Apply available patch. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker could create an encrypted ASSESSMENT: document, that when decrypted by a user running PGP, would allow for remote commands to be executed on the client's computer. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-122.shtml ORIGINAL BULLETIN: http://www.foundstone.com/knowledge/randd-advisories-display.html?id=334 PATCHES: http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp ______________________________________________________________________________ [***** Start Foundstone Labs Advisory - 090502-PCRO *****] ---------------------------------------------------------------------- Foundstone Labs Advisory - 090502-PCRO Advisory Name: Remotely Exploitable Buffer Overflow in PGP Release Date: September 5, 2002 Application: PGP Corporate Desktop 7.1.1 Platforms: Windows 2000/XP Severity: Remote code execution and plaintext passphrase disclosure Vendors: PGP Corporation (http://www.pgp.com) Authors: Tony Bettini (tony.bettini@foundstone.com) CVE Candidate: CAN-2002-0850 Reference: http://www.foundstone.com/advisories ---------------------------------------------------------------------- Overview: In many locations where PGP handles files, the length of the filename is not properly checked. As a result, PGP Corporate Desktop will crash if a user attempts to encrypt or decrypt a file with a long filename. A remote attacker may create an encrypted document, that when decrypted by a user running PGP, would allow for remote commands to be executed on the client's computer. Detailed Description: A malicious attacker could create a filename containing: <196 bytes><9 bytes><29 bytes> The attacker would then encrypt the file using the public key of the target user. In many cases, public keys often contain banners of the utilized PGP client software and its associated version. The encrypted archive could then be sent to the target user; potentially via a Microsoft Outlook attachment. The email attachment could have a filename such as "foryoureyesonly.pgp" or "confidential.pgp". When the unsuspecting user decrypts the archive (either via autodecrypt or manual), the overflow will occur if the file within the archive has a long filename. In some cases the attacker may also obtain the passphrase of the target user. PGP crashes immediately after the decryption of the malicious file and before the memory containing the passphrase is overwritten. Vendor Response: PGP has issued a fix for this vulnerability, it is available at: http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp Foundstone would like to thank PGP for their cooperation with the remediation of this vulnerability. Solution: We recommend applying the vendor patch. Disclaimer: The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing, but no representation of any warranty is given, express, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way. [***** End Foundstone Labs Advisory - 090502-PCRO *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Foundstone Labs for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-112: Microsoft Cumulative Patch for SQL Server M-113: Microsoft Network Connection Manager (NCM) Flaw M-114: Apache 2.0 Path Disclosure Vulnerability M-115: Novell NetWare 6.0 RConsoleJ Authentication Bypass Vulnerability M-116: Microsoft Cumulative Patch for Internet Explorer M-117: Microsoft Office Web Components Vulnerabilities M-118: HP Tru64 Unix Multiple Vulnerabilities M-119: Cisco VPN 3000 Concentrator Multiple Vulnerabilities M-120: Microsoft Visual FoxPro 6.0 Vulnerability M-121: Microsoft Certificate Validation Vulnerability