From labs@foundstone.com Mon Sep 9 00:35:55 2002 From: Foundstone Labs To: vulnwatch@vulnwatch.org, da@securityfocus.com Date: Thu, 5 Sep 2002 12:05:36 -0700 Subject: [VulnWatch] Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP Foundstone Labs Advisory - 090502-PCRO Advisory Name: Remotely Exploitable Buffer Overflow in PGP Release Date: September 5, 2002 Application: PGP Corporate Desktop 7.1.1 Platforms: Windows 2000/XP Severity: Remote code execution and plaintext passphrase disclosure Vendors: PGP Corporation (http://www.pgp.com) Authors: Tony Bettini (tony.bettini@foundstone.com) CVE Candidate: CAN-2002-0850 Reference: http://www.foundstone.com/advisories Overview: In many locations where PGP handles files, the length of the filename is not properly checked. As a result, PGP Corporate Desktop will crash if a user attempts to encrypt or decrypt a file with a long filename. A remote attacker may create an encrypted document, that when decrypted by a user running PGP, would allow for remote commands to be executed on the client's computer. Detailed Description: A malicious attacker could create a filename containing: <196 bytes><9 bytes><29 bytes> The attacker would then encrypt the file using the public key of the target user. In many cases, public keys often contain banners of the utilized PGP client software and it's associated version. This means an attacker could poll a PGP key server to find, with a reasonable level of accuracy, a large list of vulnerable clients. The encrypted archive could then be sent to the target user; potentially via a Microsoft Outlook attachment. The email attachment could have a filename such as "foryoureyesonly.pgp" or "confidential.pgp". When the unsuspecting user decrypts the archive (either via autodecrypt or manual), the overflow will occur if the file within the archive has a long filename. In some cases the attacker may also obtain the passphrase of the target user. PGP crashes immediately after the decryption of the malicious file and before the memory containing the passphrase is overwritten. Vendor Response: PGP has issued a fix for this vulnerability, it is available at: http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.as p Foundstone would like to thank PGP for their cooperation with the remediation of this vulnerability. Solution: We recommend applying the vendor patch. Disclaimer: The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing, but no representation of any warranty is given, express, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way.