Possible bug in gpg?

Ben McGinnes ben at adversary.org
Sun Jul 29 03:54:21 CEST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 29/07/12 4:18 AM, Brad Tilley wrote:
> Hi,
> 
> I have a symmetrically encrypted pgp file here:
> 
> http://16s.us/word_machine/downloads/pgp-easy.tgz.pgp
> 
> gpg will accept the three characters !=X as the password and exit
> with a return status of 0 (although it does not actually decrypt
> the file):
> 
> $ gpg -d pgp-easy.tgz.pgp gpg: CAST5 encrypted data gpg: encrypted
> with 1 passphrase gpg: WARNING: message was not integrity
> protected

Yep, I got essentially the same thing:

bash-3.2$ gpg -vvv pgp-easy.tgz.pgp
gpg: using character set `utf-8'
:symkey enc packet: version 4, cipher 3, s2k 3, hash 2
	salt 8dd17929c3935452, count 65536 (96)
gpg: CAST5 encrypted data
:encrypted data packet:
	length: unknown
gpg: encrypted with 1 passphrase
gpg: decryption okay
gpg: WARNING: message was not integrity protected
bash-3.2$ pgpdump pgp-easy.tgz.pgp
Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(13 bytes)
	New version(4)
	Sym alg - CAST5(sym 3)
	Iterated and salted string-to-key(s2k 3):
		Hash alg - SHA1(hash 2)
		Salt - 8d d1 79 29 c3 93 54 52
		Count - 65536(coded count 96)
New: Symmetrically Encrypted Data Packet(tag 9)(512 bytes) partial start
	Encrypted data [sym alg is specified in sym-key encrypted session key]
New: 	(13 bytes) partial end
bash-3.2$

> !=X is not the plaintext password that was used to encrypt the 
> file. I was hoping someone on the list might be able to help me 
> understand why this might happen. Could it be a bug in gpg, or 
> OpenPGP itself? Here is my gpg version:

I symmetrically encrypted another file with CAST5 (same version of GPG
as you) and tried the same trick.  The !=X string did not produce the
the same message.  Instead I received the expected "decryption failed:
bad key" message.

> I don't yet know the actual plaintext password or the exact 
> commands/program used to encrypt the file, but I should know in a 
> few days. This is a file that's apart of the defcon password 
> cracking contest and I came across this and wanted to mention it 
> here.

Ah.  I suspect that it will either be something weird to do with
whatever software was used to encrypt the file or someone has found a
way to be sneaky with it.  Either way, when all is revealed please
post a follow-up.

> I'm not subscribed to this list, so please cc me if you want to 
> reach me.

Sure.  There has only been one other response which it does not appear
was CC'd to you, but it didn't shed any light either.

Maybe someone else here will have some insight.


Regards,
Ben

-----BEGIN PGP SIGNATURE-----

iQGcBAEBCgAGBQJQFJfMAAoJEH/y03E1x1U8LjMMALwYzbh4l+8iXMeb34twWMpL
jOp/XOYwn47ybTaa/vx7F+f0fX/JJAP3pUXoRF5RwSKDv3tMie1qGL4Dfi8QCx8G
eY8q2ahz+hDnzoa95tLx3cMnFaz/D4uGpFXvolyS1Ml0V1my+OXLcf9kta9w4qjD
h+GXrF4atgeEykDQIDJAcqAYcAg/Pmae7AHSM7O8a1HWgwr1tChj1huaOJfRVszI
1tDp30S1M+ub+YPCXiU1o0LVCbioIPkvmSGFgqBI36+VTglfHvZv+sI7uSO+gszz
tjm27p8d5ZICujD8h57x2veLnrMbHsgv109cw6q3y6bQYU/bjaXp45Ba2INKLwKW
9+2DTpZuX4Q+eQ15o3YbWFjgcLTv378nO/JfQGLLNYx7JoJ3wz7vIGofUHEt5ek7
aWMXnkGrOXJUYJMTlS4PpsFx3fI7tqNQ9d4Df8MEIjiHp0ha2WaBOy/0AKtxBVFH
14QSgvgG9jWKprfFcHz8nIv/kk48M3XVscyz6TFAtA==
=XfJ8
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list