[MLB-WIRELESS] (HAD PGP CRASH IN OUTLOOK?? Read 'dis) - Fwd: EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability
Will Lanigan
chooken at m00t.cjb.net
Thu Jul 11 14:28:32 EST 2002
well nerrrrrr
i use outlook express and the thing never lets me down, it works like a
charm
----- Original Message -----
From: "Ben Ryan" <ben at bssc.edu.au>
To: <melbwireless at wireless.org.au>
Sent: Thursday, July 11, 2002 2:09 PM
Subject: [MLB-WIRELESS] (HAD PGP CRASH IN OUTLOOK?? Read 'dis) - Fwd: EEYE:
Remote PGP Outlook Encryption Plug-in Vulnerability
>
> Achtung
>
> Another reason not to use Outlook...
> (this is in response to the earlier posts regarding Outlook crashed on
some PGP
> signed mail)
>
>
>
>
>
> This is a forwarded message
> From: Marc Maiffret <marc at eeye.com>
> To: "BUGTRAQ" <BUGTRAQ at SECURITYFOCUS.COM>
> Date: Thursday, July 11, 2002, 9:04:11 AM
> Subject: EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability
>
> ===8<==============Original message text===============
> Remote PGP Outlook Encryption Plug-in Vulnerability
>
> Release Date:
> July 10, 2002
>
> Severity:
> High (Remote Code Execution)
>
> Systems Affected:
> NAI PGP Desktop Security 7.0.4
> NAI PGP Personal Security 7.0.3
> NAI PGP Freeware 7.0.3
>
> Description:
>
> The beer is still cold, the days are still long, the exploits still start
as
> jokes (this time over a beer with a three letter agency) and the
> advisories... we'll just say, "All of your SCADA are belong to us."
>
> A vulnerability in the NAI PGP Outlook plug-in can be exploited to
remotely
> execute code on any system that uses the NAI PGP Outlook plug-in's. By
> sending a carefully crafted email the message decoding functionality can
be
> manipulated to overwrite various heap structures pertinent to the PGP
> plug-in.
>
> This vulnerability can be exploited by a user simply selecting a
"malicious"
> email, the opening of attachments is not required. When the attack is
> performed against a target system, malicious code will be executed within
> the context of the user receiving the email. This can lead to the
compromise
> of the targets machine, as well as their PGP encrypted communications. It
> should also be noted that because of the nature of the SMTP protocol this
> vulnerability can be exploited anonymously.
>
> Technical Description:
>
> Exploitation:
>
> By creating a malformed email we can overwrite a section of heap memory
that
> contains various data. By overwriting this section of heap with valid
> addresses of an unused section in the PEB, which is the same across all NT
> systems, we can walk the email parsing and eventually get to something
> easily exploitable:
>
> CALL DWORD PTR [ecx]
>
> This pointer addresses references a function pointer list. At the time of
> exploitation, an attacker controlled buffer address is the first item on
the
> stack. By overwriting the function pointer list pointer address with the
> address of an Import table, we can call any imported function. Our current
> stack will be passed into the function for parameter use. as is. The first
> item on our stack is an address that points to attacker-controlled data.
>
> By overwriting the address, with the address of the
> SetUnhandledExceptionFilter() IAT entry, execution will redirect into this
> address when the default exception handler is called,
>
> After returning from SetUnhandledExceptionFilter() PGP Outlook will fail
as
> it crawls back down the call stack, after cycling through the exception
list
> it will call the DefaultExceptionFilter, which now contains the address of
> our code. This of course can also be exploited silently using frame
> reconstruction.
>
> Due to the large size of an example vulnerable email we are not including
it
> in our advisory. We will be updating the research section of our website
> with a link to an example email. http://www.eEye.com
>
> Where do you want your secret key to go today?
>
> Vendor Status: NAI has worked quickly to safeguard customers against this
> vulnerability. They have released a patch, for the latest versions of the
> PGP Outlook plug-in, to protect systems from this flaw. You may download
the
> patch from:
> http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
> Note: This issue does not affect PGP Corporate Desktop users.
>
> Discover: Marc Maiffret
> Exploitation: Riley Hassell
>
> Greetings: Kasia, and the hot photographer from Inc Magazine. Phil
> Zimmerman, the godfather of personal privacy, much respect.
>
> Copyright (c) 1998-2002 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express consent
of
> eEye. If you wish to reprint the whole or any part of this alert in any
> other medium excluding electronic medium, please e-mail alert at eEye.com for
> permission.
>
> Disclaimer
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
are
> NO warranties with regard to this information. In no event shall the
author
> be liable for any damages whatsoever arising out of or in connection with
> the use or spread of this information. Any use of this information is at
the
> user's own risk.
>
> Feedback
> Please send suggestions, updates, and comments to:
>
> eEye Digital Security
> http://www.eEye.com
> info at eEye.com
>
> ===8<===========End of original message text===========
>
>
> To unsubscribe: send mail to majordomo at wireless.org.au
> with "unsubscribe melbwireless" in the body of the message
>
>
To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message
More information about the Melbwireless
mailing list