GnuPG exploit [Fwd: Possible problem with GnuPG 1.0.6]

Bjoern Fischer bfischer@Techfak.Uni-Bielefeld.DE
Mon Dec 31 21:44:01 2001

Hello Phillip,

> > This is unrelated to gpg being setuid or not.  It is also somewhat
> > unrelated to gpg - *any* setgid program that can write to a file can
> > write to a group-writable file with the same group.
> Sure *any* setgid program can write to that. But should gpg do it?

GnuPG was never meant to be installed with the sgid bit set.
It may be installed suid root on some platforms due to the
"unsecure memory" issue.

> Aren't the checks for effective rights there to handle that?

When installed suid root, gpg does what it needs with root privileges
i.e. allocating a locked memory buffer, and then drops these privileges
immediately and completely. So it drops any user privileges (set[e]uid(2))
but does not touch any group privileges, since there should not be any
group privileges to drop.

> Gpg should handle everything it really needs the rights for (allocating t=
> secure memory, ...) with the rights it has. And everything else (like=20
> reading/writing most of the files) with the rights of the user who called=
> If GnuPG wants to be setuid root, than it has to be developped to be safe=
> that way.

It does exactly this.

> It seems to me that the user requests to write to that file, so the right=
s of=20
> the user should be checked, in my opinion.

There is no need to do this. When doing file I/O gpg already has dropped
root privileges.

Install gpg properly, remove the sgid bit, and your "exploit" won't work
any more.

-Bj=F6rn Fischer

GCS d--(+) s++: a- C+++(-) UB++++OSI++++$ P+++(-) L---(++) !E W- N+ o>+
K- !w !O !M !V  PS++  PE-  PGP++  t+++  !5 X++ tv- b+++ D++ G e+ h-- y+=20