Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Chris (brahma_at_MENDOLINK.COM)
Date: Fri Jul 12 2002 - 01:49:05 CDT
How about a patch for us with the version from pgpi.net. The patch off
NAI's site does not work. Seems to think PGP is not installed.
----- Original Message -----
From: "Marc Maiffret" <marcEEYE.COM>
Sent: Wednesday, July 10, 2002 4:04 PM
Subject: EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability
> Remote PGP Outlook Encryption Plug-in Vulnerability
> Release Date:
> July 10, 2002
> High (Remote Code Execution)
> Systems Affected:
> NAI PGP Desktop Security 7.0.4
> NAI PGP Personal Security 7.0.3
> NAI PGP Freeware 7.0.3
> The beer is still cold, the days are still long, the exploits still start
> jokes (this time over a beer with a three letter agency) and the
> advisories... we'll just say, "All of your SCADA are belong to us."
> A vulnerability in the NAI PGP Outlook plug-in can be exploited to
> execute code on any system that uses the NAI PGP Outlook plug-in's. By
> sending a carefully crafted email the message decoding functionality can
> manipulated to overwrite various heap structures pertinent to the PGP
> This vulnerability can be exploited by a user simply selecting a
> email, the opening of attachments is not required. When the attack is
> performed against a target system, malicious code will be executed within
> the context of the user receiving the email. This can lead to the
> of the targets machine, as well as their PGP encrypted communications. It
> should also be noted that because of the nature of the SMTP protocol this
> vulnerability can be exploited anonymously.
> Technical Description:
> By creating a malformed email we can overwrite a section of heap memory
> contains various data. By overwriting this section of heap with valid
> addresses of an unused section in the PEB, which is the same across all NT
> systems, we can walk the email parsing and eventually get to something
> easily exploitable:
> CALL DWORD PTR [ecx]
> This pointer addresses references a function pointer list. At the time of
> exploitation, an attacker controlled buffer address is the first item on
> stack. By overwriting the function pointer list pointer address with the
> address of an Import table, we can call any imported function. Our current
> stack will be passed into the function for parameter use. as is. The first
> item on our stack is an address that points to attacker-controlled data.
> By overwriting the address, with the address of the
> SetUnhandledExceptionFilter() IAT entry, execution will redirect into this
> address when the default exception handler is called,
> After returning from SetUnhandledExceptionFilter() PGP Outlook will fail
> it crawls back down the call stack, after cycling through the exception
> it will call the DefaultExceptionFilter, which now contains the address of
> our code. This of course can also be exploited silently using frame
> Due to the large size of an example vulnerable email we are not including
> in our advisory. We will be updating the research section of our website
> with a link to an example email. http://www.eEye.com
> Where do you want your secret key to go today?
> Vendor Status: NAI has worked quickly to safeguard customers against this
> vulnerability. They have released a patch, for the latest versions of the
> PGP Outlook plug-in, to protect systems from this flaw. You may download
> patch from:
> Note: This issue does not affect PGP Corporate Desktop users.
> Discover: Marc Maiffret
> Exploitation: Riley Hassell
> Greetings: Kasia, and the hot photographer from Inc Magazine. Phil
> Zimmerman, the godfather of personal privacy, much respect.
> Copyright (c) 1998-2002 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express consent
> eEye. If you wish to reprint the whole or any part of this alert in any
> other medium excluding electronic medium, please e-mail alerteEye.com for
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
> NO warranties with regard to this information. In no event shall the
> be liable for any damages whatsoever arising out of or in connection with
> the use or spread of this information. Any use of this information is at
> user's own risk.
> Please send suggestions, updates, and comments to:
> eEye Digital Security
> ** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE!
> ** SEND ALL COMMANDS TO: LISTSERVLISTSERV.NTSECURITY.NET
> ** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"
** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE!
** SEND ALL COMMANDS TO: LISTSERVLISTSERV.NTSECURITY.NET
** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"