2002年7月初，他们发现pgp有一个大bug.

 PBF (Pretty Big Flaw) in PGP
Associated Press  
  


Print this

7:07 a.m. July 11, 2002 PDT
WASHINGTON -- The world\'s most popular software for scrambling sensitive e-mails suffers from a programming flaw that could allow hackers to attack a user\'s computer and, in some circumstances, unscramble messages.
The software, called Pretty Good Privacy, or PGP, is the de facto standard for encrypting e-mails and is widely used by corporate and government offices, including some FBI agents and U.S. intelligence agencies. The scrambling technology is so powerful that until 1999 the federal government sought to restrict its sale out of fears that criminals, terrorists and foreign nations might use it.

  
 
 
 See also:
 
•  Software Writers Patently Enraged
•  \'Lantern\' Backdoor Flap Rages
•  A Pretty Good Privacy Sale
•  Read more Technology news
 
 
 
The new vulnerability, discovered weeks ago by researchers at eEye Digital Security, does not exploit any weakness in the complex encrypting formulas used to scramble messages into gibberish. Instead, hackers are able to attack a programming flaw in an important piece of companion software, called a plug-in, that helps users of Microsoft\'s Outlook e-mail program encrypt messages with a few mouse clicks.

Outlook itself has emerged as the world\'s standard for e-mail software, with tens of millions of users inside many of the world\'s largest corporations and government offices. Smaller numbers use the Outlook plug-in to scramble their most sensitive messages so that only the recipient can read them.

\"It\'s not the number of people using PGP but the fact that they\'re using it because they\'re trying to safeguard their data,\" said Marc Maiffret, the eEye executive and researcher who discovered the problem. \"Whatever the percentage is, it\'s very important data.\"

Maiffret said there was no evidence anyone had successfully attacked users of the encryption software with this technique. He said the programming flaw was \"not totally obvious,\" even to trained researchers examining the software blueprints.

Network Associates of Santa Clara, California, which until February distributed both commercial and free versions of PGP, made available on its website a free download to fix the software. The company announced earlier it was suspending new sales of the software, which hasn\'t been profitable, but moved within weeks to repair the problem in existing versions. The company\'s shares fell 50 cents to $17.70 in Tuesday trading on the New York Stock Exchange.

Free versions of PGP are widely available on the World Wide Web.

The flaw allows a hacker to send a specially coded e-mail, which would appear as a blank message followed by an error warning and effectively seize control of the victim\'s computer. The hacker could then install spy software to record keystrokes, steal financial records or copy a person\'s secret unlocking keys to unscramble their sensitive e-mails. Other protective technology, such as corporate firewalls, could make this more difficult.

\"You can do whatever you want: execute code, read e-mails, install a backdoor, steal their keys. You could intercept all that stuff,\" Maiffret said.

Experts said the convenience of the plug-ins for popular e-mail programs broadened the risk from this latest threat, since encryption software is famously cumbersome to use without them. Even the creator of PGP, Philip Zimmermann, relies on such a plug-in, although Zimmermann uses one that works with Eudora e-mail software and does not suffer the same vulnerability as Outlook\'s.

A plug-in for Microsoft\'s Outlook Express, a scaled-down version of Outlook, is not affected by the flaw.

Maiffret said his company immediately deactivated the vulnerable software on all its computers, which can be done with nine mouse clicks using Outlook, until it could apply the repairs from Network Associates. The decision improved security but \"makes it kind of a pain\" to send encrypted e-mails, he said.

Zimmermann, in an interview, said PGP software is used \"quite extensively\" by U.S. agencies, based on sales when he formerly worked at Network Associates. He also said use of the vulnerable companion plug-in was widespread. Zimmermann declined to specify which U.S. agencies might be at risk, but other experts have described trading scrambled e-mails using PGP and Outlook with employees at the FBI, the Energy Department and even the super-secret National Security Agency.

In theory, only nonclassified U.S. information would be at risk from this flaw. Agencies impose strict rules against transmitting any classified messages encrypted or not over the Internet, using the government\'s own secret networks instead.

\"The only time the government would use PGP is when it\'s dealing with sensitive but unclassified information and has a reasonable degree of assurance that both parties have PGP,\" said Mark Rasch, a former U.S. prosecutor and expert on computer security. \"It\'s hardly used on a routine basis.\"

Copyright ? 2002 Associated Press




 

去下载补丁吧。

[编辑 -  7/16/02 by  moqingsong]

Network Associates 股票才跌了5毛钱。

去下载补丁吧。

[编辑 -  7/16/02 by  moqingsong]

我不下！

嗬嗬！

[quote]去下载补丁吧。

[编辑 -  7/16/02 by  moqingsong]

我不下！

嗬嗬！ [/quote]
我不用它。

那位大虾有空翻译一下？

谢谢！

大意就是，pgp的plug-in 装到 ms outlook上会有问题，游人可以用它取得系统的控制权。pgp的算法还没发现问题。
nai那公司，开始因为这是个免费的软件，没钱赚不愿意修这bug,但股票有点跌，不行了就给修了。

这是发现bug那公司来的
Remote PGP Outlook Encryption Plug-in Vulnerability

Release Date:
July 10, 2002

Severity:
High (Remote Code Execution)

Systems Affected:
NAI PGP Desktop Security 7.0.4
NAI PGP Personal Security 7.0.3
NAI PGP Freeware 7.0.3

Description:
The beer is still cold, the days are still long, the exploits still start as jokes (this time over a beer with a three letter agency) and as for the advisories... we\'ll just say: \"All of your SCADA are belong to us\". (If you do not get this quote, do not worry. And yes, the bad grammar is intentional.)

A vulnerability in the NAI PGP Outlook plug-in can be exploited to remotely execute code on any system that uses the NAI PGP Outlook plug-ins. By sending a carefully crafted email, the message decoding functionality can be manipulated to overwrite various heap structures pertinent to the PGP plug-in.

This vulnerability can be exploited by the Outlook user simply selecting a \"malicious\" email, the opening of an attachment is not required. When the attack is performed against a target system, malicious code will be executed within the context of the user receiving the email. This can lead to the compromise of the target\'s machine, as well as their PGP encrypted communications. Also, it should be noted that because of the nature of the SMTP protocol this vulnerability can be exploited anonymously.

Technical Description/Exploitation:

By creating a malformed email we can overwrite a section of heap memory that contains various data. By overwriting this section of heap with valid addresses of an unused section in the PEB, which is the same across all NT systems, we can walk the email parsing and eventually get to something easily exploitable:

CALL DWORD PTR [ecx]

This pointer address references a function pointer list. At the time of exploitation, an attacker controlled buffer address is the first item on the stack. By overwriting the function pointer list pointer address with the address of an Import table, we can call any imported function. Our current stack will be passed into the function for parameter use. The first item on our stack is an address that points to attacker-controlled data.

By overwriting the address with the address of the SetUnhandledExceptionFilter() IAT entry, execution will redirect into this address when the default exception handler is called.

After returning from SetUnhandledExceptionFilter() PGP, Outlook will fail as it crawls back down the call stack. After cycling through the exception list it will call the DefaultExceptionFilter, which now contains the address of our code. This can also be exploited silently using frame reconstruction.

Due to the large size of a vulnerable email, we are not including an example in our advisory. We will be updating the research section of this website with a link to an example email.

Where do you want your secret key to go today?

Vendor Status:
NAI has worked quickly to safeguard customers against this vulnerability. They have released a patch for the latest versions of the PGP Outlook plug-in to protect systems from this flaw. Users can download the patch from:
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
Note: This issue does not affect PGP Corporate Desktop users.

Credit:
Discover: Marc Maiffret
Exploitation: Riley Hassell

Greetings:
Kasia, and the hot photographer from Inc Magazine. Phil Zimmerman, the godfather of personal privacy - much respect.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user\'s own risk.