EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability

[InfoSec News <isn () c4i org>]

Forwarded from: "Marc Maiffret" <marc () eeye com>

Remote PGP Outlook Encryption Plug-in Vulnerability

Release Date:
July 10, 2002

Severity:
High (Remote Code Execution)

Systems Affected:
NAI PGP Desktop Security 7.0.4
NAI PGP Personal Security 7.0.3
NAI PGP Freeware 7.0.3

Description:

The beer is still cold, the days are still long, the exploits still
start as jokes (this time over a beer with a three letter agency) and
the advisories... we'll just say, "All of your SCADA are belong to us."

A vulnerability in the NAI PGP Outlook plug-in can be exploited to
remotely execute code on any system that uses the NAI PGP Outlook
plug-ins. By sending a carefully crafted email the message decoding
functionality can be manipulated to overwrite various heap structures
pertinent to the PGP plug-in.

This vulnerability can be exploited by a user simply selecting a
'malicious' email, the opening of attachments is not required. When
the attack is performed against a target system, malicious code will
be executed within the context of the user receiving the email. This
can lead to the compromise of the targets machine, as well as their
PGP encrypted communications. It should also be noted that because of
the nature of the SMTP protocol this vulnerability can be exploited
anonymously.

Technical Description:

Exploitation:

By creating a malformed email we can overwrite a section of heap
memory that contains various data. By overwriting this section of heap
with valid addresses of an unused section in the PEB, which is the
same across all NT systems, we can walk the email parsing and
eventually get to something easily exploitable:

CALL DWORD PTR [ecx]

This pointer addresses references a function pointer list. At the time
of exploitation, an attacker controlled buffer address is the first
item on the stack. By overwriting the function pointer list pointer
address with the address of an Import table, we can call any imported
function. Our current stack will be passed into the function for
parameter use. as is. The first item on our stack is an address that
points to attacker-controlled data.

By overwriting the address, with the address of the
SetUnhandledExceptionFilter() IAT entry, execution will redirect into
this address when the default exception handler is called,

After returning from SetUnhandledExceptionFilter() PGP Outlook will
fail as it crawls back down the call stack, after cycling through the
exception list it will call the DefaultExceptionFilter, which now
contains the address of our code. This of course can also be exploited
silently using frame reconstruction.

Due to the large size of an example vulnerable email we are not
including it in our advisory. We will be updating the research section
of our website with a link to an example email. http://www.eEye.com

Where do you want your secret key to go today?

Vendor Status: NAI has worked quickly to safeguard customers against
this vulnerability. They have released a patch, for the latest
versions of the PGP Outlook plug-in, to protect systems from this
flaw. You may download the patch from:
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
Note: This issue does not affect PGP Corporate Desktop users.

Discover: Marc Maiffret
Exploitation: Riley Hassell

Greetings: Kasia, and the hot photographer from Inc Magazine. Phil
Zimmerman, the godfather of personal privacy, much respect.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert () eEye com for permission.

Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info () eEye com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.