Re: Advisory: PGP 7.0 signature verification vulnerability

[Adam Shostack <adam () HOMEPORT ORG>]

Does this work if I put up a fake key on my website?  If I put a fake
key into the keyservers?  How is that different from importing a
signed, exported key from disk?

Adam


On Mon, Jan 08, 2001 at 03:58:58PM +0100, Michael Kjorling wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Product: Pretty Good Privacy
| Severity: Medium to high
| Impact: Users with write access to signed exported key blocks may
| replace them with arbitrary keys without any warning being issued
| upon import of those keys
| Local: Yes
| Remote: No (though man-in-the-middle attacks is a possibility)
| Vendor status: Network Associates was contacted December 20; see
| below
|
| Confirmed vulnerable: PGP for Desktop Security, version 7.0.0.0 build
| 242, on Windows 2000
| Suspected vulnerable: All versions of PGP 7.0
| Confirmed not vulnerable: none
|
|
| Disclaimer:
|
| This information is provided "as is", with no warranties of any kind,
| either expressed or implied. It was discovered through trial and
| error; the source code has not been examined as it has been out of my
| reach. I take no responsibility for how the information contained
| within this advisory is utilized.
|
|
| Description:
|
| There seems to be a vulnerability in the key import code in PGP 7.0
| on the Win32/Intel platform, causing a signature on a full exported
| and ASCII armored key block not to be checked when "Decrypt/Verify"
| is selected to import the key(s). This means that any signatures on
| the full exported key block is not checked, opening the possibility
| for anyone who have write access to the file to replace the keys
| without having to generate a new signature. Key signature
| verification, however, is not affected by this vulnerability.
|
|
| Exploit:
|
| Given the possibility to write to the PGP signed file containing the
| exported key(s), replace the keys without altering the signature. PGP
| will not warn the user upon import of the keys that the signature has
| become invalid. Man-in-the-middle attacks are also a possibility,
| given an eavesdropper listening on the communications channel and
| replacing the key material as it flows through the wires.
|
|
| Workaround:
|
| There is no known workaround, besides always verifying fingerprints
| with the owner of the key as well as not trusting keys that have no
| or just a few signatures.
|
|
| Vendor status:
|
| Network Associates was contacted by email to <pgpsupport () nai com> as
| per instructions from their support department on December 20th,
| 2000, and they were advised that an advisory would be posted to
| Bugtraq on Jan 8. The email was encrypted with their "Software
| Release Key" which was the key I was pointed to when asking to whom I
| should encrypt the email, but I still have not heard back from them.
|
|
|
| Michael Kjörling
| michael () kjorling com
|
| -----BEGIN PGP SIGNATURE-----
| Version: PGP 7.0
| Comment: All computers wait at the same speed.
|
| iQA/AwUBOlnVfSqje/2KcOM+EQLUgACePUxBaAKla2jBZzdquOeba3nESYYAoNdt
| 0vzBXN6YIZ1V50EboF4maM3/
| =hJXy
| -----END PGP SIGNATURE-----

--
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume