GnuPG 验证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109761 漏洞类型 设计错误
发布时间 2006-02-15 更新时间 2006-12-22
CVE编号 CVE-2006-0455 CNNVD-ID CNNVD-200602-203
漏洞平台 Linux CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/27231
https://www.securityfocus.com/bid/16663
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-203
|漏洞详情
GnuPG1.4.2.1版之前的gpgv在使用自动签名验证时会在特定情况下(即使分离签名文件没有包含签名)返回0退出代码,从而使使用gpgv的程序认为已顺利完成签名验证。注意:当运行类似的命令"gpg--verify"时也会出现这种情况。
|漏洞EXP
source: http://www.securityfocus.com/bid/16663/info

GnuPG is affected by a detached signature verification-bypass vulnerability because it fails to properly notify scripts that an invalid detached signature was presented and that the verification process has failed.

Exploiting this issue allows attackers to bypass the signature-verification process used in some automated scripts. Depending on the use of GnuPG, this may result in a false sense of security, the installation of malicious packages, the execution of attacker-supplied code, or other attacks.

An example demonstrating this issue was provided:

fortune >x.txt
perl -e 'print "\xca"x"64"' >x.txt.sig
gpgv x.txt.sig x.txt
echo $?

This creates a file as well as an obviously invalid detached signature file. The file is then successfully validated by 'gpgv', since the exit status is '0'.
|受影响的产品
Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu
|参考资料

来源:DEBIAN
名称:DSA-978
链接:http://www.us.debian.org/security/2006/dsa-978
来源:SLACKWARE
名称:SSA:2006-072-02
链接:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.476477
来源:BID
名称:16663
链接:http://www.securityfocus.com/bid/16663
来源:SUSE
名称:SUSE-SA:2006:009
链接:http://www.novell.com/linux/security/advisories/2006_09_gpg.html
来源:GENTOO
名称:GLSA-200602-10
链接:http://www.gentoo.org/security/en/glsa/glsa-200602-10.xml
来源:SECUNIA
名称:18968
链接:http://secunia.com/advisories/18968
来源:SECUNIA
名称:18956
链接:http://secunia.com/advisories/18956
来源:SECUNIA
名称:18955
链接:http://secunia.com/advisories/18955
来源:SECUNIA
名称:18942
链接:http://secunia.com/advisories/18942
来源:SECUNIA
名称:18934
链接:http://secunia.com/advisories/18934
来源:SECUNIA
名称:18933
链接:http://secunia.com/advisories/18933
来源:MLIST
名称:[gnupg-devel]20060215[Announce]FalsepositivesignatureverificationinGnuPG
链接:http://marc.theaimsgroup.com/?l=gnupg-devel&m=113999098729114&w=2
来源:MLIST
名称:[gnupg-devel]20060215[Announc