[ISN] EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability

From: InfoSec News (isnat_private)
Date: Thu Jul 11 2002 - 04:09:34 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, July 10, 2002"

    Forwarded from: "Marc Maiffret" <marcat_private>
    
    Remote PGP Outlook Encryption Plug-in Vulnerability
    
    Release Date:
    July 10, 2002
    
    Severity:
    High (Remote Code Execution)
    
    Systems Affected:
    NAI PGP Desktop Security 7.0.4
    NAI PGP Personal Security 7.0.3
    NAI PGP Freeware 7.0.3
    
    Description:
    
    The beer is still cold, the days are still long, the exploits still
    start as jokes (this time over a beer with a three letter agency) and
    the advisories... we'll just say, "All of your SCADA are belong to us."
    
    A vulnerability in the NAI PGP Outlook plug-in can be exploited to
    remotely execute code on any system that uses the NAI PGP Outlook
    plug-ins. By sending a carefully crafted email the message decoding
    functionality can be manipulated to overwrite various heap structures
    pertinent to the PGP plug-in.
    
    This vulnerability can be exploited by a user simply selecting a
    'malicious' email, the opening of attachments is not required. When
    the attack is performed against a target system, malicious code will
    be executed within the context of the user receiving the email. This
    can lead to the compromise of the targets machine, as well as their
    PGP encrypted communications. It should also be noted that because of
    the nature of the SMTP protocol this vulnerability can be exploited
    anonymously.
    
    Technical Description:
    
    Exploitation:
    
    By creating a malformed email we can overwrite a section of heap
    memory that contains various data. By overwriting this section of heap
    with valid addresses of an unused section in the PEB, which is the
    same across all NT systems, we can walk the email parsing and
    eventually get to something easily exploitable:
    
    CALL DWORD PTR [ecx]
    
    This pointer addresses references a function pointer list. At the time
    of exploitation, an attacker controlled buffer address is the first
    item on the stack. By overwriting the function pointer list pointer
    address with the address of an Import table, we can call any imported
    function. Our current stack will be passed into the function for
    parameter use. as is. The first item on our stack is an address that
    points to attacker-controlled data.
    
    By overwriting the address, with the address of the
    SetUnhandledExceptionFilter() IAT entry, execution will redirect into
    this address when the default exception handler is called,
    
    After returning from SetUnhandledExceptionFilter() PGP Outlook will
    fail as it crawls back down the call stack, after cycling through the
    exception list it will call the DefaultExceptionFilter, which now
    contains the address of our code. This of course can also be exploited
    silently using frame reconstruction.
    
    Due to the large size of an example vulnerable email we are not
    including it in our advisory. We will be updating the research section
    of our website with a link to an example email. http://www.eEye.com
    
    Where do you want your secret key to go today?
    
    Vendor Status: NAI has worked quickly to safeguard customers against
    this vulnerability. They have released a patch, for the latest
    versions of the PGP Outlook plug-in, to protect systems from this
    flaw. You may download the patch from:
    http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
    Note: This issue does not affect PGP Corporate Desktop users.
    
    Discover: Marc Maiffret
    Exploitation: Riley Hassell
    
    Greetings: Kasia, and the hot photographer from Inc Magazine. Phil
    Zimmerman, the godfather of personal privacy, much respect.
    
    Copyright (c) 1998-2002 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express
    consent of eEye. If you wish to reprint the whole or any part of this
    alert in any other medium excluding electronic medium, please e-mail
    alertat_private for permission.
    
    Disclaimer
    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.
    
    Feedback
    Please send suggestions, updates, and comments to:
    
    eEye Digital Security
    http://www.eEye.com
    infoat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 06:43:42 PDT