Vulnerability Development mailing list archives

PGP spoof decrypted output?

From: "McAllister, Andrew" <McAllisterA () umsystem edu>
Date: Thu, 6 Jun 2002 16:08:48 -0500

OK maybe this is well known and I just didn't look hard enough...
It looks like it is possible to replace the contents of a signed and encrypted PGP file simply by concatenating your
malicious content to the end of a valid PGP encrypted file...

Here's the situation:
I have an encrypted and signed PGP file meant for me (FILE.pgp).
I was messing around and accidentally did an ls -l >> FILE.pgp.
I tried to decrypt the file with a command line... pgp FILE.pgp
PGP prompted me to overwrite FILE. I said yes.
The output file was my ls -l command.

Big deal? Indeed you DO have to answer yes to the prompt, but depending on the file name it wouldn't be that unusual
for a user to do so automatically. Plus I've got numerous scripts that automatically decrypt files using a pgp +force
command. I use +force because sometimes, the decrypted file from yesterday is still there and if you don't the PGP
command hangs.

So to replace the contents of what I think is a good PGP file with malicious data, all an evil person has to do is
concatenate on the end of the file? That doesn't seem right does it? Shouldn't PGP at least warn me that the
sig/encryption doesn't cover the whole file? Or shouldn't it at least discard the extra text?

I'm using the PGP 6.5.8 command line source from MIT compiled on Solaris x86, and duplicated the same results with the
windows command line and gui tools (binary download from MIT).

Output of my session is below...

Andrew McAllister
University of Missouri

$ ls -l >> FILE.pgp
$ cat FILE.pgp
¨PGPblahblah binary garbagetotal 2
-rw-r--r-- 1 user1 users 722 Jun 6 15:15 FILE.pgp
$ pgp FILE.pgp
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.

Export of this software may be restricted by the U.S. government.

File is encrypted. Secret key is required to read it.

Key for user ID: University of Missouri <pgp () umsystem edu>
1024-bit DSS key, Key ID 0x735B439B, created 2000/05/15
Key can sign. Users cannot encrypt to this key.
You need a pass phrase to unlock your secret key.

Enter pass phrase:

Plaintext filename: FILE

Output file 'FILE' already exists. Overwrite (y/N)? y

Plaintext filename: FILE
$ cat FILE
total 2
-rw-r--r-- 1 xfer xfer 722 Jun 6 15:15 FILE.pgp
$

Current thread:

PGP spoof decrypted output? McAllister, Andrew (Jun 06)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 07)
  - Re: PGP spoof decrypted output? Brian Hatch (Jun 07)
  - Re: PGP spoof decrypted output? Rich Henning (Jun 07)
    - Re: PGP spoof decrypted output? Olaf Kirch (Jun 10)
    - Re: PGP spoof decrypted output? Rich Henning (Jun 10)
  - Re: PGP spoof decrypted output? Roger Burton West (Jun 08)
- <Possible follow-ups>
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 07)
  - Re: PGP spoof decrypted output? Rich Henning (Jun 07)
  - RE: PGP spoof decrypted output? Tony (Jun 07)
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 07)

(Thread continues...)