July 10, 2002
High (Remote Code Execution)
NAI PGP Desktop Security 7.0.4
NAI PGP Personal Security 7.0.3
NAI PGP Freeware 7.0.3
The beer is still cold, the days are still long, the exploits still start as jokes (this time over a beer with a three letter agency) and as for the advisories... we'll just say: "All of your SCADA are belong to us". (If you do not get this quote, do not worry. And yes, the bad grammar is intentional.)
A vulnerability in the NAI PGP Outlook plug-in can be exploited to remotely execute code on any system that uses the NAI PGP Outlook plug-ins. By sending a carefully crafted email, the message decoding functionality can be manipulated to overwrite various heap structures pertinent to the PGP plug-in.
This vulnerability can be exploited by the Outlook user simply selecting a "malicious" email, the opening of an attachment is not required. When the attack is performed against a target system, malicious code will be executed within the context of the user receiving the email. This can lead to the compromise of the target's machine, as well as their PGP encrypted communications. Also, it should be noted that because of the nature of the SMTP protocol this vulnerability can be exploited anonymously.
By creating a malformed email we can overwrite a section of heap memory that contains various data. By overwriting this section of heap with valid addresses of an unused section in the PEB, which is the same across all NT systems, we can walk the email parsing and eventually get to something easily exploitable:
CALL DWORD PTR [ecx]
This pointer address references a function pointer list. At the time of exploitation, an attacker controlled buffer address is the first item on the stack. By overwriting the function pointer list pointer address with the address of an Import table, we can call any imported function. Our current stack will be passed into the function for parameter use. The first item on our stack is an address that points to attacker-controlled data.
By overwriting the address with the address of the SetUnhandledExceptionFilter() IAT entry, execution will redirect into this address when the default exception handler is called.
After returning from SetUnhandledExceptionFilter() PGP, Outlook will fail as it crawls back down the call stack. After cycling through the exception list it will call the DefaultExceptionFilter, which now contains the address of our code. This can also be exploited silently using frame reconstruction.
Due to the large size of a vulnerable email, we are not including an example in our advisory. We will be updating the research section of this website with a link to an example email.
Where do you want your secret key to go today?
NAI has worked quickly to safeguard customers against this vulnerability. They have released a patch for the latest versions of the PGP Outlook plug-in to protect systems from this flaw. Users can download the patch from: http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp Note: This issue does not affect PGP Corporate Desktop users.
Discover: Marc Maiffret
Exploitation: Riley Hassell
Kasia, and the hot photographer from Inc Magazine. Phil Zimmerman, the godfather of personal privacy - much respect.
Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security