PGP spoof decrypted output?

From: McAllister, Andrew (McAllisterAat_private)
Date: Thu Jun 06 2002 - 14:08:48 PDT

Next message: Matt Power: "Re: Hesiod security"

Previous message: KF: "Re: Hesiod security"
Next in thread: Olaf Kirch: "Re: PGP spoof decrypted output?"
Reply: Olaf Kirch: "Re: PGP spoof decrypted output?"
Reply: McAllister, Andrew: "RE: PGP spoof decrypted output?"
Reply: McAllister, Andrew: "RE: PGP spoof decrypted output?"
Reply: Benjamin Elijah Griffin: "Re: PGP spoof decrypted output?"
Reply: McAllister, Andrew: "RE: PGP spoof decrypted output?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK maybe this is well known and I just didn't look hard enough...
It looks like it is possible to replace the contents of a signed and encrypted PGP file simply by concatenating your malicious content to the end of a valid PGP encrypted file...

Here's the situation:
I have an encrypted and signed PGP file meant for me (FILE.pgp).
I was messing around and accidentally did an ls -l >> FILE.pgp.
I tried to decrypt the file with a command line... pgp FILE.pgp
PGP prompted me to overwrite FILE. I said yes.
The output file was my ls -l command.

Big deal? Indeed you DO have to answer yes to the prompt, but depending on the file name it wouldn't be that unusual for a user to do so automatically. Plus I've got numerous scripts that automatically decrypt files using a pgp +force command. I use +force because sometimes, the decrypted file from yesterday is still there and if you don't the PGP command hangs.

So to replace the contents of what I think is a good PGP file with malicious data, all an evil person has to do is concatenate on the end of the file? That doesn't seem right does it? Shouldn't PGP at least warn me that the sig/encryption doesn't cover the whole file? Or shouldn't it at least discard the extra text?

I'm using the PGP 6.5.8 command line source from MIT compiled on Solaris x86, and duplicated the same results with the windows command line and gui tools (binary download from MIT).

Output of my session is below...

Andrew McAllister
University of Missouri

$ ls -l >> FILE.pgp
$ cat FILE.pgp
≒GPblahblah binary garbagetotal 2
-rw-r--r-- 1 user1 users 722 Jun 6 15:15 FILE.pgp
$ pgp FILE.pgp
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.

Export of this software may be restricted by the U.S. government.

File is encrypted. Secret key is required to read it.

Key for user ID: University of Missouri <pgpat_private>
1024-bit DSS key, Key ID 0x735B439B, created 2000/05/15
Key can sign. Users cannot encrypt to this key.
You need a pass phrase to unlock your secret key.

Enter pass phrase:

Plaintext filename: FILE

Output file 'FILE' already exists. Overwrite (y/N)? y

Plaintext filename: FILE
$ cat FILE
total 2
-rw-r--r-- 1 xfer xfer 722 Jun 6 15:15 FILE.pgp
$

Next message: Matt Power: "Re: Hesiod security"
Previous message: KF: "Re: Hesiod security"
Next in thread: Olaf Kirch: "Re: PGP spoof decrypted output?"
Reply: Olaf Kirch: "Re: PGP spoof decrypted output?"
Reply: McAllister, Andrew: "RE: PGP spoof decrypted output?"
Reply: McAllister, Andrew: "RE: PGP spoof decrypted output?"
Reply: Benjamin Elijah Griffin: "Re: PGP spoof decrypted output?"
Reply: McAllister, Andrew: "RE: PGP spoof decrypted output?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 14:30:34 PDT