linux, säkerhet

11050620 2003-12-03 16:30 +0300 /122 rader/ S-Quadra Security Research <research@s-quadra.com>
Importerad: 2003-12-03 19:40 av Brevbäraren
Extern mottagare: full-disclosure <full-disclosure@lists.netsys.com>
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <30141>
Ärende: GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
------------------------------------------------------------
From: S-Quadra Security Research <research@s-quadra.com>
To: full-disclosure <full-disclosure@lists.netsys.com>,
 bugtraq <bugtraq@securityfocus.com>
Message-ID: <3FCDE57E.3050601@s-quadra.com>

          
            S-Quadra Advisory #2003-12-03

Topic: GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
Severity: Low
Vendor URL: http://www.gnupg.org
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031203.txt
Release date: 3 Dec 2003

1. DESCRIPTION

GnuPG is a complete and free replacement for PGP.
Because it does not use the patented IDEA algorithm, it can be used 
without any restrictions.
GnuPG is a RFC2440 (OpenPGP) compliant application.

GnuPG has external HKP inteface which is marked as experimental and
not  enabled by default in 1.2 stable branch and to use it you should
compile  GnuPG with '--enable-external-hkp' configuration option.
Also, on 1.3 devel branch external HKP interface is enabled by
default  and to disable you should compile GnuPG with '--disable-hkp'
configuration option.

When the external HKP interface is enabled, GnuPG will make use of 
'gpgkeys_hkp' utility for keyserver accesses.

There exists a format string vulnerability in 'gpgkeys_hkp' utility 
which would allow a malicious
keyserver in the worst case to execute an arbitrary code on the user's 
machine.

2. DETAILS

The offending code can be found in keyserver/gpgkeys_hkp.c:

<snip>
int get_key(char *getkey)
{
  int rc,gotit=0;
  char search[29];
  char *request;
  struct http_context hd;

  ...
 
  if(verbose>2)
    fprintf(console,"gpgkeys: HTTP URL is \"%s\"\n",request);

  rc=http_open_document(&hd,request,http_flags);
  if(rc!=0)
    {
      fprintf(console,"gpgkeys: HKP fetch error: %s\n",
          rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc));
      fprintf(output,"KEY 0x%s FAILED\n",getkey);
    }
  else
    {
      unsigned int maxlen=1024,buflen;
      byte *line=NULL;

      while(iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen))
    {
      maxlen=1024;

      if(gotit)
        {
          // S-Quadra: here is where format string bug lives
          fprintf(output,line);
          if(strcmp(line,"-----END PGP PUBLIC KEY BLOCK-----\n")==0)
        break;
        }
      else
        if(strcmp(line,"-----BEGIN PGP PUBLIC KEY BLOCK-----\n")==0)
          {
            // S-Quadra: here is where format string bug lives
        fprintf(output,line);
        gotit=1;
          }
    }
  ...
  return 0;
}

</snip>

3. FIX INFORMATION

S-Quadra alerted GnuPG development team to this issue on 27th
November 2003.  For 1.2 branch fix available in CVS, latest devel
version 1.3.4 also  contains fix for the reported bug.

4. CREDITS

Evgeny Legerov <e.legerov@s-quadra.com> is responsible for discovering 
this issue.

5. ABOUT

S-Quadra offers services in computer security, penetration testing and 
network assesment,
web application security, source code review and third party product 
vulnerability assesment,
forensic support and reverse engineering.

Security is an art and our goal is to bring responsible and high
quality  security service to the IT market, customized to meet the
unique needs of each  individual client.

S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services 
we bring to our clients.

            S-Quadra Advisory #2003-12-03
(11050620) /S-Quadra Security Research <research@s-quadra.com>/(Ombruten)
Kommentar i text 11051047 av David Shaw <dshaw@jabberwocky.com>
11051047 2003-12-03 13:48 -0500 /28 rader/ David Shaw <dshaw@jabberwocky.com>
Importerad: 2003-12-03 21:41 av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <30154>
Kommentar till text 11050620 av S-Quadra Security Research <research@s-quadra.com>
Ärende: Re: GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
------------------------------------------------------------
From: David Shaw <dshaw@jabberwocky.com>
To: bugtraq <bugtraq@securityfocus.com>
Message-ID: <20031203184816.GE11489@jabberwocky.com>

On Wed, Dec 03, 2003 at 04:30:38PM +0300, S-Quadra Security Research wrote:
>      if(gotit)
>        {
>          // S-Quadra: here is where format string bug lives
>          fprintf(output,line);
>          if(strcmp(line,"-----END PGP PUBLIC KEY BLOCK-----\n")==0)
>        break;
>        }

This one is indeed a problem.

>        if(strcmp(line,"-----BEGIN PGP PUBLIC KEY BLOCK-----\n")==0)
>          {
>            // S-Quadra: here is where format string bug lives
>        fprintf(output,line);
>        gotit=1;
>          }

But this one is not.  You can't get to the dangerous fprintf without
"line" being verified as safe.

David
(11051047) /David Shaw <dshaw@jabberwocky.com>/-----