Wilders Security Forums  

Go Back   Wilders Security Forums > Privacy Related Topics > privacy software
Reload this Page PGP/Outlook flaw & Patch
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old July 11th, 2002, 05:28 AM
Paul Wilders's Avatar
Paul Wilders Paul Wilders is offline
Administrator
  
Join Date: Jul 2001
Location: The Netherlands
Posts: 12,383
Default PGP/Outlook flaw & Patch
Summary
A vulnerability in the NAI PGP Outlook plug-in can be exploited to remotely execute code on any system that uses the NAI PGP Outlook plug-in's. By sending a carefully crafted email, the message decoding functionality can be manipulated to overwrite various heap structures pertinent to the PGP plug-in.
This vulnerability can be exploited by a user simply selecting a "malicious" email the opening of attachments is not required. When the attack is performed against a target system, malicious code will be executed within the context of the user receiving the email. This can lead to the compromise of the targets machine, as well as their PGP encrypted communications. It should also be noted that because of the nature of the SMTP protocol this vulnerability could be exploited anonymously.


Details
Vulnerable systems:
* NAI PGP Desktop Security 7.0.4
* NAI PGP Personal Security 7.0.3
* NAI PGP Freeware 7.0.3

Exploitation:
By creating a malformed email, we can overwrite a section of heap memory that contains various data. By overwriting this section of heap with valid addresses of an unused section in the PEB, which is the same across all NT systems, we can walk the email parsing and eventually get to something easily exploitable:
CALL DWORD PTR [ecx]

This pointer addresses references a function pointer list. At the time of exploitation, an attacker controlled buffer address is the first item on the stack. By overwriting the function pointer list pointer address with the address of an Import table, we can call any imported function. Our current stack will be passed into the function for parameter use, as is. The first item on our stack is an address that points to attacker-controlled data.

By overwriting the address, with the address of the SetUnhandledExceptionFilter() IAT entry, execution will redirect into this address when the default exception handler is called,

After returning from SetUnhandledExceptionFilter() PGP Outlook will fail as it crawls back down the call stack, after cycling through the exception list it will call the DefaultExceptionFilter, which now contains the address of our code. This of course can also be exploited silently using frame reconstruction.

Due to the large size of an example vulnerable email, we are not including it in our advisory. We will be updating the research section of our website with a link to an example email.

Vendor Status:
NAI has worked quickly to safeguard customers against this vulnerability. They have released a patch, for the latest versions of the PGP Outlook plug-in, to protect systems from this flaw. You may download the patch from:
www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp

Note: This issue does not affect PGP Corporate Desktop users.

-----

source: securiteam.com


__________________
01110010 01100101 01100111 01100001 01110010 01100100 01110011 00100000 01110000 01100001 01110101 01101100
 

Wilders Security Forums > Privacy Related Topics > privacy software « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 07:07 PM.

Contact Us - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2009, Wilders Security Forums