Thread-topic: [VulnWatch] Medium Risk Vulnerability in PGP Desktop
> -----Original Message-----
> From: NGSSoftware Insight Security Research
> [mailto:nisr@xxxxxxxxxxxxxxx]
> Sent: Friday, January 26, 2007 1:31 AM
> To: VulnWatch; Full Disclosure; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [VulnWatch] Medium Risk Vulnerability in PGP Desktop
>
> Peter Winter-Smith of NGSSoftware has discovered a medium
> risk vulnerability
> in PGP Desktop which can allow a remote authenticated
> attacker to execute
> arbitrary code on a system on which PGP Desktop is installed.
>
> The vulnerability resides within the Windows Service which PGP Desktop
> installs (which operates under the Local System account), and
> as such it may
> be used by any local or remote user (who must be a member of
> at least the
> Everyone/ANONYMOUS LOGON groups) to run code with escalated
> privileges. NGS
> have not been able to exploit this issue in the context of a
> NULL session.
>
> The details of this issue are as follows:
>
> PGP Desktop installs a service (PGPServ.exe/PGPsdkServ.exe)
> which exposes a
> named pipe '\pipe\pgpserv' (or '\pipe\pgpsdkserv' for the
> PGPsdkServ.exe
> instance). This pipe is the endpoint for an RPC interface
> (uuid:15cd3850-28ca-11ce-a4e8-00aa006116cb) which takes the following
> format:
>
> [ uuid(15cd3850-28ca-11ce-a4e8-00aa006116cb),
> version(1.0),
> implicit_handle(handle_t rpc_binding)
> ] interface pgpsdkserv
> {
> error_status_t Function_00(
> [in] /* [ignore] void * */ long element_1
> );
>
> typedef struct {
> long element_2;
> [size_is(element_2)] [unique] byte *element_3;
> } TYPE_1;
>
> error_status_t Function_01(
> [in] /* [ignore] void * */ long element_4,
> [in] [size_is(element_6)] byte element_5[*],
> [in] long element_6,
> [in] long element_7,
> [out] [ref] TYPE_1 *element_8
> );
> }
>
> This interface is used to marshall various objects and
> information between
> PGP clients (PGP.dll/PGPsdk.dll) and the PGP service.
>
> The vulnerability occurs as a result of the fact that the
> code responsible
> for processing the objects which are passed over the interface to the
> service does not perform any kind of validation on these objects, and
> instead trusts that object data is completely safe in the
> form that it is
> received (i.e., absolute pointers are trusted without validation).
>
> NGS have discovered that if the following object is passed over the
> interface as the second parameter to function ordinal 1, an
> absolute pointer
> is trusted and executed - easily facilitating arbitrary code execution
> inside of the PGP service process:
>
> /*
>
> structure passed over rpc:
> struct {
> DWORD **pprgMM; // set as absolute pointer to dwUnknown_1
> DWORD dwUnknown_1; // set as absolute pointer to 'rgMM'
> DWORD dwCount; // set to value 0
> DWORD dwFGUB_signature; // set to value 'FGUB'
> DWORD dwUnknown_2; // set to value 'rgMM'
> DWORD dwUnknown_3;
> DWORD dwUnknown_4;
> DWORD dwUnknown_5;
> DWORD dwUnknown_6;
> PBYTE pbFunction; // set to absolute address of shellcode
> // etc...
> };
>
> */
>
> This issue has been resolved as of PGP Desktop 9.5.1 and NGS
> recommend that
> all users download the updated version from the PGP website:
>
>
>
> NGSSoftware Insight Security Research
>
>
>
> +44(0)208 401 0070
>
>
> --
> E-MAIL DISCLAIMER
>
> The information contained in this email and any subsequent
> correspondence is private, is solely for the intended recipient(s) and
> may contain confidential or privileged information. For those
> other than
> the intended recipient(s), any disclosure, copying,
> distribution, or any
> other action taken, or omitted to be taken, in reliance on such
> information is prohibited and may be unlawful. If you are not the
> intended recipient and have received this message in error, please
> inform the sender and delete this mail and any attachments.
>
> The views expressed in this email do not necessarily reflect
> NGS policy.
> NGS accepts no liability or responsibility for any onward transmission
> or use of emails and attachments having left the NGS domain.
>
> NGS and NGSSoftware are trading names of Next Generation Security
> Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
> 4BF with Company Number 04225835 and VAT Number 783096402
>
