How about a patch for us with the version from pgpi.net. The patch off
NAI's site does not work. Seems to think PGP is not installed.

----- Original Message -----
From: "Marc Maiffret" <marcEEYE.COM>
To: <win2ksecadviceLISTSERV.NTSECURITY.NET>
Sent: Wednesday, July 10, 2002 4:04 PM
Subject: EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability

> Remote PGP Outlook Encryption Plug-in Vulnerability
>
> Release Date:
> July 10, 2002
>
> Severity:
> High (Remote Code Execution)
>
> Systems Affected:
> NAI PGP Desktop Security 7.0.4
> NAI PGP Personal Security 7.0.3
> NAI PGP Freeware 7.0.3
>
> Description:
>
> The beer is still cold, the days are still long, the exploits still start
as
> jokes (this time over a beer with a three letter agency) and the
> advisories... we'll just say, "All of your SCADA are belong to us."
>
> A vulnerability in the NAI PGP Outlook plug-in can be exploited to
remotely
> execute code on any system that uses the NAI PGP Outlook plug-in's. By
> sending a carefully crafted email the message decoding functionality can
be
> manipulated to overwrite various heap structures pertinent to the PGP
> plug-in.
>
> This vulnerability can be exploited by a user simply selecting a
"malicious"
> email, the opening of attachments is not required. When the attack is
> performed against a target system, malicious code will be executed within
> the context of the user receiving the email. This can lead to the
compromise
> of the targets machine, as well as their PGP encrypted communications. It
> should also be noted that because of the nature of the SMTP protocol this
> vulnerability can be exploited anonymously.
>
> Technical Description:
>
> Exploitation:
>
> By creating a malformed email we can overwrite a section of heap memory
that
> contains various data. By overwriting this section of heap with valid
> addresses of an unused section in the PEB, which is the same across all NT
> systems, we can walk the email parsing and eventually get to something
> easily exploitable:
>
> CALL DWORD PTR [ecx]
>
> This pointer addresses references a function pointer list. At the time of
> exploitation, an attacker controlled buffer address is the first item on
the
> stack. By overwriting the function pointer list pointer address with the
> address of an Import table, we can call any imported function. Our current
> stack will be passed into the function for parameter use. as is. The first
> item on our stack is an address that points to attacker-controlled data.
>
> By overwriting the address, with the address of the
> SetUnhandledExceptionFilter() IAT entry, execution will redirect into this
> address when the default exception handler is called,
>
> After returning from SetUnhandledExceptionFilter() PGP Outlook will fail
as
> it crawls back down the call stack, after cycling through the exception
list
> it will call the DefaultExceptionFilter, which now contains the address of
> our code. This of course can also be exploited silently using frame
> reconstruction.
>
> Due to the large size of an example vulnerable email we are not including
it
> in our advisory. We will be updating the research section of our website
> with a link to an example email. http://www.eEye.com
>
> Where do you want your secret key to go today?
>
> Vendor Status: NAI has worked quickly to safeguard customers against this
> vulnerability. They have released a patch, for the latest versions of the
> PGP Outlook plug-in, to protect systems from this flaw. You may download
the
> patch from:
> http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
> Note: This issue does not affect PGP Corporate Desktop users.
>
> Discover: Marc Maiffret
> Exploitation: Riley Hassell
>
> Greetings: Kasia, and the hot photographer from Inc Magazine. Phil
> Zimmerman, the godfather of personal privacy, much respect.
>
> Copyright (c) 1998-2002 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express consent
of
> eEye. If you wish to reprint the whole or any part of this alert in any
> other medium excluding electronic medium, please e-mail alerteEye.com for
> permission.
>
> Disclaimer
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
are
> NO warranties with regard to this information. In no event shall the
author
> be liable for any damages whatsoever arising out of or in connection with
> the use or spread of this information. Any use of this information is at
the
> user's own risk.
>
> Feedback
> Please send suggestions, updates, and comments to:
>
> eEye Digital Security
> http://www.eEye.com
> infoeEye.com
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE!
>
> ** SEND ALL COMMANDS TO: LISTSERVLISTSERV.NTSECURITY.NET
> ** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"

_____________________________________________________________________
** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE!

** SEND ALL COMMANDS TO: LISTSERVLISTSERV.NTSECURITY.NET
** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]