PGP spoof decrypted output?

From: McAllister, Andrew (McAllisterAat_private)
Date: Thu Jun 06 2002 - 14:08:48 PDT

  • Next message: Matt Power: "Re: Hesiod security"

    OK maybe this is well known and I just didn't look hard enough...
    It looks like it is possible to replace the contents of a signed and encrypted PGP file simply by concatenating your malicious content to the end of a valid PGP encrypted file...
    
    Here's the situation:
    I have an encrypted and signed PGP file meant for me (FILE.pgp).
    I was messing around and accidentally did an ls -l >> FILE.pgp.
    I tried to decrypt the file with a command line... pgp FILE.pgp
    PGP prompted me to overwrite FILE. I said yes.
    The output file was my ls -l command.
    
    Big deal? Indeed you DO have to answer yes to the prompt, but depending on the file name it wouldn't be that unusual for a user to do so automatically. Plus I've got numerous scripts that automatically decrypt files using a pgp +force command. I use +force because sometimes, the decrypted file from yesterday is still there and if you don't the PGP command hangs.
    
    So to replace the contents of what I think is a good PGP file with malicious data, all an evil person has to do is concatenate on the end of the file? That doesn't seem right does it? Shouldn't PGP at least warn me that the sig/encryption doesn't cover the whole file? Or shouldn't it at least discard the extra text?
    
    I'm using the PGP 6.5.8 command line source from MIT compiled on Solaris x86, and duplicated the same results with the windows command line and gui tools (binary download from MIT).
    
    Output of my session is below...
    
    Andrew McAllister
    University of Missouri
    
    
    $ ls -l >> FILE.pgp
    $ cat FILE.pgp
    šPGPblahblah binary garbagetotal 2
    -rw-r--r--   1 user1     users         722 Jun  6 15:15 FILE.pgp
    $ pgp FILE.pgp
    Pretty Good Privacy(tm) Version 6.5.8
    (c) 1999 Network Associates Inc.
    
    Export of this software may be restricted by the U.S. government.
    
    File is encrypted.  Secret key is required to read it.
    
    Key for user ID: University of Missouri <pgpat_private>
    1024-bit DSS key, Key ID 0x735B439B, created 2000/05/15
    Key can sign. Users cannot encrypt to this key. 
    You need a pass phrase to unlock your secret key.
    
    Enter pass phrase: 
    
    Plaintext filename: FILE
    
    Output file 'FILE' already exists.  Overwrite (y/N)? y
    
    Plaintext filename: FILE
    $ cat FILE
    total 2
    -rw-r--r--   1 xfer     xfer         722 Jun  6 15:15 FILE.pgp
    $ 
    



    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 14:30:34 PDT