PGP Corporate Desktop Vulnerability
Shan Harter
shan@systrends.com
Mon Sep 9 11:32:02 2002
This is a multi-part message in MIME format.
------=_NextPart_000_0016_01C2559C.62737C70
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
>From site:
Foundstone Labs Advisory - 090502-PCRO
Advisory Name: Remotely Exploitable Buffer Overflow in PGP
Release Date: September 5, 2002
Application: PGP Corporate Desktop 7.1.1
Platforms: Windows 2000/XP
Severity: Remote code execution and plaintext passphrase disclosure
Vendors: PGP Corporation (http://www.pgp.com)
Authors: Tony Bettini (tony.bettini@foundstone.com)
CVE Candidate: CAN-2002-0850
Reference: http://www.foundstone.com/advisories
----------------------------------------------------------------------
Overview:
In many locations where PGP handles files, the length of the filename is
not properly checked. As a result, PGP Corporate Desktop will crash if a
user attempts to encrypt or decrypt a file with a long filename. A =
remote
attacker may create an encrypted document, that when decrypted by a user
running PGP, would allow for remote commands to be executed on the
client\'s computer.
Detailed Description:
A malicious attacker could create a filename containing:=20
<196 bytes><9 bytes><29 bytes>
The attacker would then encrypt the file using the public key of the
target user. In many cases, public keys often contain banners of the
utilized PGP client software and it\'s associated version. This means an
attacker could poll a PGP key server to find, with a reasonable level of
accuracy, a large list of vulnerable clients.
The encrypted archive could then be sent to the target user; potentially
via a Microsoft Outlook attachment. The email attachment could have a
filename such as \"foryoureyesonly.pgp\" or \"confidential.pgp\". When =
the
unsuspecting user decrypts the archive (either via autodecrypt or =
manual),
the overflow will occur if the file within the archive has a long
filename.
In some cases the attacker may also obtain the passphrase of the target
user. PGP crashes immediately after the decryption of the malicious file
and before the memory containing the passphrase is overwritten.
Vendor Response:
PGP has issued a fix for this vulnerability, it is available at:
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp=
Foundstone would like to thank PGP for their cooperation with the
remediation of this vulnerability.
Solution:
We recommend applying the vendor patch.
Disclaimer:
The information contained in this advisory is copyright (c) 2002=20
Foundstone, Inc. and is believed to be accurate at the time of=20
publishing, but no representation of any warranty is given,=20
express, or implied as to its accuracy or completeness. In no=20
event shall the author or Foundstone be liable for any direct,=20
indirect, incidental, special, exemplary or consequential=20
damages resulting from the use or misuse of this information. =20
This advisory may be redistributed, provided that no fee is=20
assigned and that the advisory is not modified in any way.
=09
=09
-----Original Message-----
From: Adam Pavelec [mailto:apavelec@benefit-services.com]
Sent: Friday, September 06, 2002 11:18 AM
To: gnupg-users@gnupg.org
Subject: PGP Corporate Desktop Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----=20
Hash: SHA1=20
Hello everyone,=20
Foundstone Labs has discovered a flaw in PGP Corporate Desktop,=20
version 7.1.1. You can read the details of this vulnerability=20
at:=20
http://www.foundstone.com/knowledge/randd-advisories-display.htm
<http://www.foundstone.com/knowledge/randd-advisories-display.htm> =20
l?id=3D334=20
- --Adam=20
-----BEGIN PGP SIGNATURE-----=20
iEYEARECAAYFAj148PEACgkQDwRQnkBSh2s7yQCeI/rqqYbsJ8qi+94eXmyFLQPv=20
PM0AoOCVUbmj3VPdBw/lsh1BBYAcE3UL=20
=3DTBvX=20
-----END PGP SIGNATURE-----=20
_______________________________________________=20
Gnupg-users mailing list=20
Gnupg-users@gnupg.org=20
http://listsgnupg.org/mailman/listinfo/gnupg-users
<http://lists.gnupg.org/mailman/listinfo/gnupg-users> =20
------=_NextPart_000_0016_01C2559C.62737C70
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
eJ8+IgcSAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEGgAMADgAAANIHCQAGAAsAOAAAAAUAMAEB
A5AGAPAWAAArAAAACwACAAEAAAALACMAAAAAAAMAJgAAAAAACwApAAAAAAADAC4AAAAAAAMANgAA
AAAAHgBwAAEAAAAkAAAAUEdQIENvcnBvcmF0ZSBEZXNrdG9wIFZ1bG5lcmFiaWxpdHkAAgFxAAEA
AAAWAAAAAcJV1w2l1zWfRlEdTzC5P2DybRj5ZAAAAgEdDAEAAAAYAAAAU01UUDpTSEFOQFNZU1RS
RU5EUy5DT00ACwABDgAAAABAAAYOACBdCtdVwgECAQoOAQAAABgAAAAAAAAAVol8DYk/rU+bPxoA
InzzwMKIAAADABQOAQAAAAsAHw4BAAAAAgEJEAEAAABJEgAARRIAACk2AABMWkZ1BTkQXAMACgBy
Y3BnMTI1gjIDQ2h0bWwxAzA/AQMB9wqAAqQD4wIAY2jBCsBzZXQwIAcTAoD/EAMAUARWCFUHshHV
DlEDAd0Q1zIGAAbDEdUzBEYQ2VkS72Y0A8YRijUDxlR8YWgDcQKAEeMI7wn3O/sbfw4wNRyfHacd
sQm0H4J3HXYR4QxgYwBQCwkBZDMmNhFgC6U0IBACKlwLDrIBkGcjADMgPCEARE9DVFlQRSAASFRN
TCBQVUIATElDICItLy+IVzNDJcBEVEQk1CQ0LhFgVHIAcnRphwIgB0AlwEVOIj4R488jdyQgCqMo
LDE5JDAk4kcoHiMQKoBFQUQoHTEENzckMFRJVExFRygdIwAO8FBHUBcRcoJwBbBhdGUgRAeQAGt0
b3AgVnVsXm4EkAGgAxAnUHkpfTj6NSQwLy2PKiIpHzOPKeYCNg7wPE1FVEEgxwWgAjAJ8HQ9IgXg
JOMANS41MC40OTEAMy4xMTAwIiATJ5AHgD1HJ+BFUkH4VE9SKB0u0TJQLA8j4Q81HyPROBAkMEJP
RFlHKB0igTx/Zzk2JDBE3ElWKBAjgwAhIAAAQPVzEWAjWTY0QN9B4iM7OOEr0VNQQU424AtgBBBo
PTA3K8AzHcAyEC3KMCJwOQHQMDJAz0P/CQ4QNDgkMEZPTlR8IGYA0DkgBxM24RsRPa4jOLA4sAEg
IACQejkg90ccGDADMGMT8AOyAdADMH1Bl0YDYSMsTME/MydBZeo6KYw1QGEvSaJHKUc3/0QtRtAy
QUVSUZ9B3gHARzfvCqJSSAqAKYwwK9EmIECr/1JPPp8/r0C/Wn9bj1yYNsBHJVAkwEoQbGxTCrBj
DQuAZ0XwYXNQYWRkY2IEA/BkdGg3YDihJR840AbgCyAEkGIxc3Vt+QDAcnk3YADAC4AoAV2J/wsI
IpheL18/I2oRYGqAYA//LXA932jvaf9CSS1hOcFdj39EHk9WRE5zoil9SWImQXZiQTDwZ249MCJj
RTf9Y9NnCFBKwwEgd1JwDHWA/mh1cQ6wKQFw33Hvcv5qkR9Zn0HxcCZXX2BvIGhl/3jSY5Zhig4w
Yl9jb2IxCqPnfBRkq2QBZHllf2aPeT//bL9tznwlfx9r34nPit9ur/9vv4iPek97X5AfdK91spG/
H5LPRQ4CYADQMBBleHS/mA99i30fnW99/1gNMklx/FBSLcGGnwtkEkFNXJvfx6SfTdUIYG5kczAg
MJDMIEwBoBixZHYEAAWwUHkgLSBGwDA4EDLALVBDUk9cMPAwkNcKgam0qEdOOQE6DIIH8JZlBGAv
sGyosEV4C1CWbydQAaBsL8BCdQEg6RMxT3YEkGYbEAfgh8H/LwGppauhrNBFwC/BL6GrVBcGYAUw
q8BiEzE1LCD3RuKuZhFwcAtQDeAvoCdx96tULw8wEzc4gDiAsReV0E5QC2AAMAWwbXOrVFcdC4Bk
rdAEIEbhMC9Y/65XlbIGYK2BMQGrWjbhAQBWIJuABZB1J2IgAHBkniALU5tyuiBFwXBoJxD/rzGC
wATwGxBkoBuAtvowUF8J8LYwESCyX7mjKA6wdFRwOiXAd79ALg4AcNIuBaBtKbwrQbmQGkDtvUZU
AiCosEIRQCdgAwCzvrCnoXkusGDCE0ACENOnZr+6Q1YkwEO58YNA9a93Q0VwLUbiRpAyIAFA/7R4
q7CtMQnwShCrVL7Zw1y+L4KgqGMIkBDAqbQtyw/3zB/NL84/LamsrXKoYAfQ+6tQqbtJA6ADgaiw
GxCx9P0EIHeAgBuAsqMRAKdwrND9BCBmAxAHkLCwg2AvwKzQ82IQg2Agb0FQ1GLT8jjyu63wyoZu
q+C6IANgcASQ16wREPAFkGsJgC4RcAQg/GEgG4BkoCPAsLCyvzAT/wPwYaA24Lsx1PAGkLngqaX+
dREwBcAvoLAxBTAEIDAg/7lAx8Bk8AUxBbEFgdzT2DD/0/KDIdTh2DAbEGIQ1XfX4f/YQavSqaXb
4ZtBEzEAwNdR/xuAL6IDkdylCYC7cNJAZLB/NzHUQi+g0sIDoN1V4nFi76iw2DDbkqmlcqdgAwDe
0evY0bCwdwhgbLoQB0Ctwv+1Ud+1NuFkwadx3GKwYLlFf+JxucHUYamlRaAIkAIwXCxcJwQgv8Fw
6PFyLv+prC/gAZDUAboQL+EFA7Ij/6m80dGx0Sdw25Db0uDEBaC/5nLhZtV4NvILcWIBOgMwu6m0
mW4mI8ACgKYHPFUY7ypQXQDkgC+wc/Jv1NDzmY4+mM8jpivRRUlQKB3/8z/0SSpg9T/2T/df+Gui
AO87MGEzgqHYUXP5b/p/VSfeMvwf/S/+PKmsVNRx4Jf/5lTUYeHn1TfkweXC1GLq8PsbULHgINew
qLDVFPH1rKD8cmcRQOTD1+DRtrHwETD/1DELCNgQ1RA3IfEmZAAnIP8wkQ7i6Wm5kTDwS6C6ENjS
9+oUS3APAXeUIOGyuhCskP/qc0XB0kBKYOJirYEKcMGw/9fgB9AYkNHQrxDSoScg4C7/77QvcNpR
2DDY0gty26Gtgf/cYtPwp3DmMd5U4XGogCeQv6zCrNCtgEqA1RDgJmO5gPknEGN5sLDekQyS0iCo
cLvdAUFQdjB1rNHqFHPrTe8H0uIIlCDXcGmtgO+lCQO/6IGvMBJB3HHUYgyJOxcRfzciSmGsEPH1
qGAXcBdwTT+x4NbwEnKtYLmQu8Bva/3vFGji4hTSuTGF0RdRJVf/76XjUCAB2xbVh2Sg13AToWlN
IFwi5xF57uDnUHn/08DBsKwQv3Ipkd0SKZE28d/T8IQwIuMqtdfgV+OiEJn30qDu8NcQY8Ih3uDb
k91V99xRB+IfxSiAkNRhrVAjwy+5kLkR3Mfn8XXukCks+wwW1HFvrYbaM9JAG0Ha0v8J195CrgEv
iuNQ2BLesigd/+tN0bGogPECDeIvdOCq7pD7qIAz8GIPkwrDuujVFQyE39sp1+ARw9qS08FpZMDX
wPsUAqwRYQ8RGGHUcd1VubL/1RXuiNPy4Ca6AeiA5xEhsX9BIqvBqKHxODt+FREzInf/t/EiwetN
vPSrobsA0pGrQW+pu9M0PrGa8HUfggoBeP/nAzVB2BAcxhFRuBCwsKyQ/0WSJ8DsYayz2XDQxr7Z
8ODeacmjTnHnwsGwL7YxKoByb4KgL3W/gLswhDAv1ZQQdNdxc1CULb+BwQD7VvBKcC6a4Crgqbun
SeZU/xFg17AhVA2QJSDY0kqkgJD/75LXAr5k3kPpeOdRPwNAp7tLDutNU3bwuZPQzVfZkN/nUOfC
vQHdwLGxeQqGrYC/R5NQo+tOu5KjYPEActDN/wfSrgC1Ur5k8TXicTVjTFLnqFYVEe+wcHntAHjh
vrB8Yymww/Hmp0iwsNGwY//X4BMD2BDogOohrYAI4ehj/xsk4aIJtNJw8QHVEfH1CwPX2rCC0bCw
YrmQINag2EH/1uDTwOpBWBcNkhKxuzASQPVjk2cf8W6wsPH1m4BrMv/UMd0hPtCxwR+C3FOskNgR
/xs13RLqwqzQIsEBAQ0zauH/baZdwRJR41DaUS+DwOPdEv+nSeiBEWCss+cSDZLFIFxR/9ih8fW2
EXXlrgCB0Cvi7pD/sLAuEiwhsLC5UW7hhYFwdP1IMXFKACLj8ebFQIXQDLDX2BDYVOXCZtbwbdRT
25H/MbOocHyDWIVhSdfg8eYU899jJ+Ei6IHnULuBdO0AaqH/18AOIdbwqGCEMAji42Fq4f+tMEWD
4Caa8JeRH4K6AeND/y+DYznWoriwPxArwGJ0bDTnWbeMHGTwPC+acpu5nu//UdCUAqAfkNr5UQKn
lAKp8e+Jr6VPn+/4OTeIUozCjZP/i9ubz45Dq3KU2JErApeKv/2g6zP1EJIBoguJif8docFniIWa
74hwVEQBPZHTVDJSAT0xMAABnZBCT/xEWZ8voDMAcpmPmp+dP3/4dY5hlzGJcP8do6DAkn2/kr+T
z5gsm8Kk8NohZFTAwD0iMTUlIqJpqV+5BMluYrsAAokTcGHGoPus35ikNZkSpPKiiZTjr7f/lc+W
35fvnr+fz7b/oe+i//G3TURJVrovuz+l/4f0A5kRAIBPQ0tRVU92VACgddE9+KBHwHRQeYNM8Kug
TUFSR0nGACBSSUdIVPHQMHAeeKv6klbBkbSxXHFsv8SCKTG9r76/pr6/jzy8sWsR8YNhPSTFTQEB
ewFI/xmQ3VDdMcFl7pGDoMGAQvD+dKwLxJ/FALKfqE+PGhFgh5kAqe+b0UZPTlQKAPMm0MIQVGFR
sO6AxxR+oJMKcBGAPTKsC2Y1jnCsZnNkwM7pLdciT2Qh34ZQejHK5dcjmCwxwHK20X+M+Otlxa8E
5sCQrAuyikY1fAE6h38v3NqJiSBB/3rRF4AnwUzwC1D/GwAAxy/bBROnsVsmUmeQOlzw4cTOQOiA
HPArwHQtGBLusPs+oE6iXdjP2d/a79v/3Q/96bRTd7Hev9/P4NfecIGwb4bQZiDswB9hbXSwR8Aw
fjZmIOI/40/kVGTD5+A68jGb0EFN5x/oL+k/6k/761/3BFTlEO0f7i/g5oOgpVAhLS6ic0D84y5u
oP5n9G/1f/aP95/4r+xlCxD+ai4x+j/7T+DXEcLxH/IvXeRUQ26gIqBoM0Q+oGvxZ5BwIFZLSv4/
/08AX/8L7wz/Dg+wq9NCBZ+y/7QPn7UfvA8TX6OvGYA8IdcgeiAJwG4zMR9ye/R4sHT/UJBfsYZg
YWTXEaUfCD/IP/+MP41Pjl/RX9Jv03DUz9XRs9ZP1yBCRcJxBvNTwsAETkWrME1FU1NB/EdF2H8S
fwX/Dr8PzxDf3ySf02HUXyZ/L4VIPnHDAPBTSEExKh8rL+CqFW//FnUhLy9/kZodXx5vH38gj/8j
LyQ/JU8yXzNoZxBP0Hig/RsxeWXyNJ81rza/N8843/857zr/PA89Hz4vPz9AT0Ff70JvQ3/eFXQY
THUAb9By0H9v0ICh5tAbMYPCdUBfsHf/hkIHAgnIB09OL+RUCmVFz/9G3ywvLT8uT0svUw9UHyb+
xxsxY+Br0TcuMWaRrW/zrn+viiBZdBBwoHWQe0H/hMB8M4HATbALYG/QWZ9ar/vkVH1mdgr/XO9d
/18PYB//YS9iP2NPZF90eH5ABFxwD/9Hv0jPSd9K70v/TQ9sb08vf1A/UU9SX3Xvdv9+LwGoQTUx
VmhX0GaroGhgdHDQOi8vd4uQLhygVkZB5sIva25vd8IAZM3YUC8KEFZQZC1qcOZwanNZMGnmoC1X
YRxBed4uaGGr/OYA4eBko+JYMAXLwG7B0HtIWVBF5FJMwoBLIIsfjC+NPz2OTX2n0ZCR/XCbcFxj
+GYxXG5wzumRz5Lfk+/fjlt6byKKGP8EykG4jnm//3Eva49sn4Jvcu9z/4WPhp8Th6+nZWw/79A9
MzP+NJ9/oI96/3wPfR+nP38//4BPgV+kn4N/hI+n36jvqf//1sUn4eFiq++s/64Prx+wL/+xP7JP
pQoFQaX8wb+zT7Rf/7Vvtn+3j7ifua+6vyePKJfwQVRVUim/vW++f7+P/8Cfxe/Cv7L/x8/I38nv
yv8fzA8wrzG/zs8ZgGlFWQRFQdFQQ0FBWUYMQWrfUZEwQUNnawBRRHdSUW5rQgBTaDJzN3lRQ0Rl
SZnQcXFZVvBKADhxaSs5NGVYgG15RkxRUHbRz//S36Gfoq+jv6TPpd+m796vB82f4T/uolBNMEFv
AE9DVlVibWozQFZQZEJ3L2swaAAxQkJZQWNFM/xVTOaP55/or+w/7U/uXw/fD+Af8R/6Az1UQnb+
WPR/9Y/2n/ev+L/5z+9v5/xfzw/QAUVOKTDQr9G///+vAL/pr+q/E8jVL9Y/BB//2F/EXxC/Ec8U
LxU/Fk8XX/8Yb9kf2i/bP9xP3V8EbwV/+waPG9ZfJW8mfydKCc8K3/8L7wz/Dg/r3wKPA58h/yMP
AyQfMHJHbnVwZy1kdXNmESBtaxEvwGf7q1BuMHQoXylvKn8uDy8fnzAv+t/77zLvM/5AZzRS+i5Z
MGc1zzbfN+84/zoP/zsfMT89r4g/iU+KX5fhNYK0cy5AZy81AjUAbkzD+0XgmFAvQGM0lI8vkD+R
Tf9M303vTvmV35bvUoVTD1Qf/zSyQo+cv0oPnt9Bb0J/Q49/K/8Ofw+PEJ9cXxK/RxgwER/BL0JM
8sBLUVWYT1RFX69mX2c1R8GRaRBPRFnY7TI3XzFQSFRNTNjtM2H1fQFvgAAAAB4AQhABAAAAKgAA
ADwwMGI3MDFjMjU1ZDEkYjBkYTA4NDAkMjAyN2E4YzBAYXBhdmVsZWM+AAAAAwACWQAAFgADAAlZ
AgAAAAMAAHwFAAAACwAAgAggBgAAAAAAwAAAAAAAAEYAAAAAA4UAAAAAAAADAAKACCAGAAAAAADA
AAAAAAAARgAAAAAQhQAAAAAAAAMABYAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAAAAAAAwAMgAgg
BgAAAAAAwAAAAAAAAEYAAAAAUoUAACdqAQAeAA2ACCAGAAAAAADAAAAAAAAARgAAAABUhQAAAQAA
AAQAAAA5LjAACwAOgAggBgAAAAAAwAAAAAAAAEYAAAAABoUAAAAAAAALABGACCAGAAAAAADAAAAA
AAAARgAAAAAOhQAAAAAAAAMAEoAIIAYAAAAAAMAAAAAAAABGAAAAABGFAAAAAAAAAwATgAggBgAA
AAAAwAAAAAAAAEYAAAAAGIUAAAAAAAAeAHSACCAGAAAAAADAAAAAAAAARgAAAAA2hQAAAQAAAAEA
AAAAAAAAHgB1gAggBgAAAAAAwAAAAAAAAEYAAAAAN4UAAAEAAAABAAAAAAAAAB4AdoAIIAYAAAAA
AMAAAAAAAABGAAAAADiFAAABAAAAAQAAAAAAAAAeAH6ACCAGAAAAAADAAAAAAAAARgAAAACDhQAA
AQAAABMAAAAwNzM0MzU1MTgtMDYwOTIwMDIAAAIB+A8BAAAAEAAAAFaJfA2JP61Pmz8aACJ888AC
AfoPAQAAABAAAABWiXwNiT+tT5s/GgAifPPAAgH7DwEAAABTAAAAAAAAADihuxAF5RAaobsIACsq
VsIAAG1zcHN0LmRsbAAAAAAATklUQfm/uAEAqgA32W4AAABDOlxVc2VyXE91dGxvb2tcU2hhbklu
Ym94LnBzdAAAAwD+DwUAAAADAA00/TcAAAIBfwABAAAAMQAAADAwMDAwMDAwNTY4OTdDMEQ4OTNG
QUQ0RjlCM0YxQTAwMjI3Q0YzQzAwNDNGODYwMAAAAAADAAYQC1baKQMABxAzDAAAAwAQEAAAAAAD
ABEQAQAAAB4ACBABAAAAZQAAAEZST01TSVRFOkZPVU5EU1RPTkVMQUJTQURWSVNPUlktMDkwNTAy
LVBDUk9BRFZJU09SWU5BTUU6UkVNT1RFTFlFWFBMT0lUQUJMRUJVRkZFUk9WRVJGTE9XSU5QR1BS
RUxFQVMAAAAAoCo=
------=_NextPart_000_0016_01C2559C.62737C70--