User: Password:
Subscribe / Log in / New account


GnuPG signed message spoofing vulnerability

March 7, 2007

This article was contributed by Jake Edge.

An advisory about a problem in GNU Privacy Guard (GnuPG) would normally cause worries about an implementation flaw leading to insecurely encrypted data. Thankfully, this particular vulnerability does not fall into that category and data encrypted using GnuPG is not at risk from it; it is, instead, a hole which allows attackers to spoof signatures. This vulnerability highlights an interesting interaction between GnuPG and the applications that use it. The flaw is not so much in how GnuPG does its work, rather it is in how it presents it.

GnuPG is an implementation of the OpenPGP standard which governs messages encrypted with public-key encryption. The standard is described in RFC 2440 and is descended from the original Pretty Good Privacy (PGP) program that Phil Zimmerman released (much to the chagrin of the US Government) in 1991. Many different mail programs use GnuPG (or the related GnuPG Made Easy (GPGME) library) to handle encrypted email; these programs include most open source email clients (KMail, Evolution, Thunderbird via the EnigMail plugin, mutt, etc.). All are vulnerable to the spoof - as is the gpg command-line tool, depending on how it is used.

One of the features of OpenPGP is digital signing of messages so that the recipient can ensure that the message they receive is the same as the one that was sent. It is this digital signature that is vulnerable to this attack as it can be spoofed; making it appear that unsigned text is covered by a valid signature. An attacker can insert malicious text into an existing message and have it appear to have been sent by the signer.

OpenPGP messages consist of a set of "packets" that correspond to different sections of a message (plaintext, encrypted, signature, compressed, ascii-armored, etc). Taking two valid OpenPGP messages and concatenating them produces a longer, but still valid, OpenPGP message. The simplest way to exploit the flaw is to take a plaintext packet and add it to the front of a signed plaintext packet. If the user attempts to verify the message by invoking gpg < msgfile, they will see the contents of both of the plaintext packets followed by a statement that the signature was verified. Nothing in the output indicates the presence of two packets with different signature status.

If this were the only issue, there would be a relatively easy, but not completely satisfying, workaround; do not redirect stdin from a file when using gpg. When it is invoked as gpg msgfile, GnuPG writes each individual plaintext packet into a separate file and, depending on the filenames specified in the packet, the above example would either create two files or prompt asking whether to overwrite when it encounters the second packet. That prompt, or the presence of two files, might be enough to alert the observant user to an anomaly, but is hardly foolproof. Unfortunately, mail clients typically invoke gpg via the output end of a pipe which allows them to be spoofed.

GnuPG does provide the --status-fd mode to prevent just this kind of attack by producing more status information on the specified file descriptor. The status information is not particularly user-friendly and might not alert a casual user to the spoof, but it certainly can be used by a program to detect the spoof. This is how GnuPG recommends that it be used by other programs but the developers of many mail clients ignored that advice with the result that their code is vulnerable. Normally this might be considered a problem for the mail client developers to solve, but the GnuPG team decided to make changes to GnuPG and GPGME to alleviate the problem.

Updated versions of GnuPG will no longer process multiple messages in a single invocation, avoiding the mingling of packets with different signature status. GPGME has been changed to avoid the spoofing even when it is using a vulnerable version of GnuPG. It is likely that the various mail clients will need to be updated eventually as well because they may well rely on GnuPG to process multiple messages in a single pass. The mail clients may not correctly process all of the email types that they did in the past, but they will not be vulnerable to this kind of attack.

The advisory has a wealth of information about the flaw and various ways that it can be exploited; it is well worth a read for those interested. This is an interesting bug because it lives between the GnuPG software and its users (both human and program). The GnuPG developers could have pushed this off as a problem for those users, but took a more helpful approach. If the command-line version (gpg < msgfile) of the flaw did not exist, it seems possible that they would have chosen differently and the mail client development teams would instead be scrambling to release updates.

Comments (13 posted)

Brief items

The Month of PHP Bugs

The Month of PHP Bugs (March) has been announced. "This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability manag[e]ment process used by the PHP Security Response Team."

Comments (1 posted)

New vulnerabilities

GnuPG: unsigned data injection vulnerability

Package(s):gnupg CVE #(s):CVE-2007-1263
Created:March 6, 2007 Updated:March 30, 2007
Description: Core Security Technologies has reported that GnuPG and GnuPG clients are vulnerable to an unsigned data injection vulnerability.
SuSE SUSE-SA:2007:024 gpg 2007-03-30
rPath rPSA-2007-0056-1 gnupg 2007-03-16
Red Hat RHSA-2007:0107-02 GnuPG 2007-03-14
Debian DSA-1266-1 gnupg 2007-03-13
Ubuntu USN-432-2 gnupg2, gpgme1.0 2007-03-13
Mandriva MDKSA-2007:059 gnupg 2006-03-08
Trustix TSLSA-2007-0009 gnupg, php4 2007-03-09
Ubuntu USN-432-1 gnupg 2007-03-08
Slackware SSA:2007-066-01 gnupg 2007-03-08
Red Hat RHSA-2007:0106-01 GnuPG 2007-03-06

Comments (none posted)

mod_jk: stack overflow

Package(s):mod_jk CVE #(s):CVE-2007-0774
Created:March 5, 2007 Updated:May 30, 2007
Description: A stack overflow flaw was found in the URI handler of mod_jk. A remote attacker could visit a carefully crafted URL being handled by mod_jk and trigger this flaw, which could lead to the execution of arbitrary code as the 'apache' user.
Gentoo 200703-16 mod_jk 2007-03-16
Red Hat RHSA-2007:0096-01 mod_jk 2007-03-02

Comments (none posted)

mod_python: information disclosure

Package(s):libapache2-mod-python CVE #(s):CVE-2004-2680
Created:March 7, 2007 Updated:March 8, 2007
Description: From the Ubuntu advisory: Miles Egan discovered that mod_python, when used in output filter mode, did not handle output larger than 16384 bytes, and would display freed memory, possibly disclosing private data.
rPath rPSA-2007-0051-1 mod_python 2007-03-07
Ubuntu USN-430-1 libapache2-mod-python 2007-03-06

Comments (none posted)

snort: remote arbitrary code execution

Package(s):snort CVE #(s):CVE-2006-5276
Created:March 2, 2007 Updated:September 7, 2007
Description: The Snort intrusion detection system is vulnerable to a buffer overflow in the DCE/RPC preprocessor code. Remote attackers can send specially crafted fragmented SMB or DCE/RPC packets which can be used to allow the the remote execution of arbitrary code.
Fedora FEDORA-2007-2060 snort 2007-09-07
Gentoo 200703-01:02 snort 2007-02-23
Gentoo 200703-01 snort 2007-02-23

Comments (1 posted)

STLport: buffer overflows

Package(s):STLport CVE #(s):CVE-2007-0803
Created:March 7, 2007 Updated:March 7, 2007
Description: STLport (prior to version 5.0.3) suffers from two remotely exploitable buffer overflows.
Gentoo 200703-07 STLport 2007-03-06

Comments (none posted)

tcpdump: denial of service

Package(s):tcpdump CVE #(s):CVE-2007-1218
Created:March 5, 2007 Updated:November 15, 2007
Description: Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based.
Red Hat RHSA-2007:0387-02 tcpdump 2007-11-15
Mandriva MDKSA-2007:155 tcpdump 2007-08-09
Debian DSA-1272-1 tcpdump 2007-03-22
Fedora FEDORA-2007-348 tcpdump 2007-03-15
Fedora FEDORA-2007-347 tcpdump 2007-03-15
Mandriva MDKSA-2007:056 tcpdump 2006-03-08
Ubuntu USN-429-1 tcpdump 2007-03-06
rPath rPSA-2007-0048-1 tcpdump 2007-03-03

Comments (none posted)

util-linux: information disclosure

Package(s):util-linux CVE #(s):CVE-2007-0822
Created:March 7, 2007 Updated:March 7, 2007
Description: Users can confuse util-linux by way of removable drives, leading to crashes and the possibility of information disclosure via the resulting core dumps.
Mandriva MDKSA-2007:053 util-linux 2006-03-06

Comments (1 posted)

wordpress: cross-site scripting

Package(s):wordpress CVE #(s):CVE-2007-1049
Created:March 5, 2007 Updated:March 21, 2007
Description: A Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable.
Gentoo 200703-23 wordpress 2007-03-20
Debian-Testing DTSA-34-1 wordpress 2007-03-03

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds