Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
PGPfire Personal Firewall for Microsoft Windows Discloses Identifying Information to Remote Users
|
Date: Jan 26 2002
|
Impact: Disclosure of system information
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: @Stake - L0pht
|
Version(s): PGP Corporate Desktop 7.1
|
Description: @Stake reported an information disclosure vulnerability in the PGPfire personal firewall software, part of the PGP Corporate Desktop application. A remote user can determine if the firewall has been installed or not.
It is reported that the product alters the TCP/IP stack of the Microsoft operating system, allowing a remote user to identify the
presence of the software, even if the firewall software is not enabled.
The firewall software will reportedly return an altered
ICMP Port Unreachable Error Message. For details on the nature of the modification, see the Source Message.
|
Impact: A remote user can determine if the firewall has been installed on the operating system.
|
Solution: The vendor has reported that there will be no patch for version 7.1 but that this flaw has already been corrected for the pending
version 7.5 release.
The author of the report recommends as a workaround that you enable one of the PGPfire security policies
of your choice, and check it does not allow ANY ICMP Error messages from your protected machine to the outside world.
|
Vendor URL: www.pgp.com/products/pgpfire/default.asp (Links to External Site)
|
Cause: State error
|
Underlying OS: Windows (Any)
|
Underlying OS Comments: Tested on Microsoft Windows 2000 (No-SP, SP1, SP2, Pre-SP3 Patches) and Windows Me
|
Reported By: Ofir Arkin <ofir@stake.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 25 Jan 2002 19:47:36 +0000
From: Ofir Arkin <ofir@stake.com>
Subject: Identifying PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall Installed (no need to be enabled) on Microsoft
|
Subject: Identifying PGP Corporate Desktop 7.1 with PGPfire Personal
Desktop Firewall Installed (no need to be enabled) on Microsoft Windows
Based OSs
Author: Ofir Arkin (ofir@stake.com)
Network Associates PGP Corporate Desktop version 7.1 alters the TCP/IP
stack of the MS operating system it is installing its PGPfire Personal
Desktop Firewall product on.
This alternation occurs even if PGPfire is not being enabled.
The type of alternation we have absorbed is with an ICMP Port
Unreachable Error Messages received from a Microsoft Windows machine
using the program.
The following tcpdump trace was produced with Xprobe against a Microsoft
Windows 2000 SP2 with the PRE-SP3 patches installed, based machine:
[root@mavrick root]# tcpdump -xnvv
tcpdump: listening on eth0
17:34:11.113066 192.168.1.100.64257 > 192.168.1.5.32132: udp 70 (DF)
(ttl 250, id 28832, len 98)
4500 0062 70a0 4000 fa11 8c30 c0a8 0164
c0a8 0105 fb01 7d84 004e 0312 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
17:34:11.113066 192.168.1.5 > 192.168.1.100: icmp:
192.168.1.5 udp port 32132 unreachable for 192.168.1.100.64257 >
192.168.1.5.32132: udp 70 (ttl 250, id 28832, len 98) (ttl 128, id
11150, len 56)
4500 0038 2b8e 0000 8001 8b7d c0a8 0105
c0a8 0164 0303 8116 0000 0000 4500 0062
70a0 0000 fa11 cc30 c0a8 0164 c0a8 0105
fb01 7d84 004e 0312
If you look at the ICMP Error message, look at the part, which it starts
to echo the original message:
4500, 0062, 70a0 AND THAN 0000!
This behavior is also common with ULTIX based machines. But it is very
easy to differentiate the ULTRIX based machines from the traces produced
against machines using Network Associates PGP Corporate Desktop 7.1 with
PGPfire Personal Desktop Firewall installed (no need to be enabled). If
we will examine the echoed UDP Header, for example, with the ULTRIX
based machines this echoed field value will be zero, while with the
machines running Microsoft Windows operating systems with Network
Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop
Firewall installed this field will be echoed correctly.
Tested against machines running PGPfire Installed on:
-Microsoft Windows 2000 Platforms (No-SP, SP1, SP2, Pre-SP3 Patches)
-Microsoft Windows Millennium
Dangers:
Ability to pinpoint Microsoft Windows Operating Systems using Network
Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop
Firewall installed (no need to be enabled), since this type of echoing
error integrity is almost unique.
If the firewall is not being used, or if it is running in a not secure
mode an attacker might use this information to maliciously attack a
victim's machine.
Vendor Response: Since this is an "Information Leakage" problem no patch
will be released for version 7.1. This is already fixed on the upcoming
PGP Corporate Desktop software version 7.5.
Remedies: Just enable one of the PGPfire security policies of your
choice, and check it does not allow ANY ICMP Error messages from your
protected machine to the outside world.
--
Ofir Arkin
Managing Security Architect
@stake, Limited.
http://www.atstake.com
email:
ofir@stake.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
