Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
GnuPG 'gpgkeys_hkp' Format String Flaw Lets Remote Keyservers Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008371
|
|
CVE Reference: CAN-2003-0978
(Links to External Site)
|
Updated: Dec 11 2003
|
Original Entry Date: Dec 3 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: S-Quadra Security Research
|
Version(s): 1.2.3, 1.3.3
|
Description: A format string vulnerability was reported in GnuPG in the experimental 'gpgkeys_hkp' utility. A malicious keyserver can execute arbitrary code on the target user's system.
S-Quadra reported that when the external HKP interface is enabled, the get_key() function in 'keyserver/gpgkeys_hkp.c' makes a fprintf()
call based on user-supplied input without providing a format specifier or validating the user-supplied input. A malicious keyserver
can return specially crafted information to potentially execute arbitrary code.
The report indicates that this HKP interface
is not enabled by default in the 1.2 stable branch, but is enabled by default on the 1.3 development branch.
The vendor was reportedly
notified on 27 November 2003.
|
Impact: A remote keyserver can execute arbitrary code on a target user's system.
|
Solution: The vendor has released a fixed development version (1.3.4) and has issued a fix for the 1.2 branch, available via CVS.
|
Vendor URL: www.gnupg.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any)
|
Reported By: S-Quadra Security Research <research@s-quadra.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 03 Dec 2003 16:30:38 +0300
From: S-Quadra Security Research <research@s-quadra.com>
Subject: [Full-Disclosure] GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
|
S-Quadra Advisory #2003-12-03
Topic: GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
Severity: Low
Vendor URL: http://www.gnupg.org
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031203.txt
Release date: 3 Dec 2003
1. DESCRIPTION
GnuPG is a complete and free replacement for PGP.
Because it does not use the patented IDEA algorithm, it can be used
without any restrictions.
GnuPG is a RFC2440 (OpenPGP) compliant application.
GnuPG has external HKP inteface which is marked as experimental and not
enabled by default in 1.2 stable branch and to use it you should compile
GnuPG with '--enable-external-hkp' configuration option.
Also, on 1.3 devel branch external HKP interface is enabled by default
and to disable you should compile GnuPG with '--disable-hkp'
configuration option.
When the external HKP interface is enabled, GnuPG will make use of
'gpgkeys_hkp' utility for keyserver accesses.
There exists a format string vulnerability in 'gpgkeys_hkp' utility
which would allow a malicious
keyserver in the worst case to execute an arbitrary code on the user's
machine.
2. DETAILS
The offending code can be found in keyserver/gpgkeys_hkp.c:
<snip>
int get_key(char *getkey)
int rc,gotit=0;
char search[29];
char *request;
struct http_context hd;
...
if(verbose>2)
fprintf(console,"gpgkeys: HTTP URL is \"%s\"\n",request);
rc=http_open_document(&hd,request,http_flags);
if(rc!=0)
{
fprintf(console,"gpgkeys: HKP fetch error: %s\n",
rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc));
fprintf(output,"KEY 0x%s FAILED\n",getkey);
}
else
{
unsigned int maxlen=1024,buflen;
byte *line=NULL;
while(iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen))
{
maxlen=1024;
if(gotit)
{
// S-Quadra: here is where format string bug lives
fprintf(output,line);
if(strcmp(line,"-----END PGP PUBLIC KEY BLOCK-----\n")==0)
break;
}
else
if(strcmp(line,"-----BEGIN PGP PUBLIC KEY BLOCK-----\n")==0)
{
// S-Quadra: here is where format string bug lives
fprintf(output,line);
gotit=1;
}
}
...
return 0;
</snip>
3. FIX INFORMATION
S-Quadra alerted GnuPG development team to this issue on 27th November 2003.
For 1.2 branch fix available in CVS, latest devel version 1.3.4 also
contains fix for the reported bug.
4. CREDITS
Evgeny Legerov <e.legerov@s-quadra.com> is responsible for discovering
this issue.
5. ABOUT
S-Quadra offers services in computer security, penetration testing and
network assesment,
web application security, source code review and third party product
vulnerability assesment,
forensic support and reverse engineering.
Security is an art and our goal is to bring responsible and high quality
security
service to the IT market, customized to meet the unique needs of each
individual client.
S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.
S-Quadra Advisory #2003-12-03
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
