Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

File-name flaw threatens PGP users

From: InfoSec News <isn () c4i org>
Date: Fri, 6 Sep 2002 01:29:30 -0500 (CDT)
http://news.com.com/2100-1001-956815.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
September 5, 2002, 5:07 PM PT

For more than a decade, the United States government classified
encryption technology as a weapon. Now that label might actually
apply.

Security-consulting firm Foundstone said Thursday that e-mail messages
encrypted with the Pretty Good Privacy program can be used as digital
bullets to attack and take control of a victim's computer.

Because of a flaw in the way PGP handles long file names in an
encrypted archive, an attacker could "take control of the recipient's
computer, elevating his or her privileges on the organization's
network," Foundstone said in an advisory.

The company classified the vulnerability as a high risk "due to the
trusting nature of encrypted attachments in e-mail, its relative ease
of exploitation and the large amount of corporations and military and
government agencies that rely on PGP encryption for secure
communication."

The flaw affects PGP Corporate Edition 7.1.0 and 7.1.1. Software maker
Network Associates has posted a patch on its site. The company
recently sold all PGP assets to a start-up, PGP Corp., but appears to
still be providing support for the program. Neither company could be
reached for comment.

The flaw occurs in the way PGP handles long file names in encrypted
archives, Network Associates said on its site. PGP runs into problems
when it tries to encrypt or decrypt files that have names longer than
200 characters. When PGP attempts to decrypt the files, a buffer
overflow causes it to crash.

The long file names aren't readily apparent to a recipient of such an
e-mail, said Foundstone CEO George Kurtz.

"It is just like a ZIP file," Kurtz said. "You can name a file with
eight characters, but archived in the file are several other (files)  
with long file names."

The danger, Kurtz said, is that the flaw could be used to attack users
who have the most to protect. "Most users of PGP have some level of
security sophistication. It makes it that much more of a high-level
attack," Kurtz said. An attacker could "obtain that very valuable
information that was meant to be protected by encryption."

The flaw is unrelated to another theoretical vulnerability discussed
by security experts last month. Exploiting that flaw, someone could
fool the sender of a PGP-encrypted e-mail into decoding their own
message. Unlike the current flaw, that vulnerability wouldn't give the
attacker control of a computer.

The current vulnerability resembles another flaw in the PGP plug-in
for Outlook, found in early July.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: