[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2016-4021: pgpdump 0.29 - Endless loop parsing specially crafted input (SYSS-2016-030)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-030
Product: pgpdump
Maintainer: Kazu Yamamoto
Affected Version(s): 0.29
Tested Version(s): 0.29
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Low
Solution Status: Fixed (in 0.30) 
Maintainer Notification: 2016-04-12
Solution Date: 2016-04-12
Public Disclosure: 2016-04-12
CVE Reference: CVE-2016-4021
Author of Advisory: Klaus Eisentraut, SySS GmbH, https://www.syss.de/advisories/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

"pgpdump" is a PGP packet visualizer which displays the packet format of 
OpenPGP (RFC 4880) and PGP version 2 (RFC 1991) (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

When pgpdump is run on specially crafted input, a Denial-of-Service
condition occurs. The program runs with 100% CPU usage for an indefinite
amount of time.

This can be abused in scenarios where users can supply input to pgpdump,
e.g. in http://www.pgpdump.net/. The SySS GmbH believes that such a
scenario is rare.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The vulnerability can be reproduced by the following command:

$ echo -en '\xa3\x03' | ./pgpdump
Old: Compressed Data Packet(tag 8)
	Comp alg - BZip2(comp 3)
[ ... endless loop ...]

After issuing the command above, pgpdump 0.29 is running in an endless 
loop and consuming 100% CPU utilization. This happens because of missing
error and EOF checking in the function read_binary() in the C file
buffer.c.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The SySS GmbH provides the following patch which fixes the issue and was 
provided as pull request on github.com. [3]

$ git diff origin/master HEAD
diff --git a/buffer.c b/buffer.c
index 2cafc57..d7de94c 100644
- --- a/buffer.c
+++ b/buffer.c
@@ -81,8 +81,11 @@ line_not_blank(byte *s)
 private int
 read_binary(byte *p, unsigned int max)
 {
- -       /* errno */
- -       return fread(p, sizeof(byte), max, stdin);
+       size_t ret = fread(p, sizeof(byte), max, stdin);
+       if (feof(stdin) | ferror(stdin)) {
+               warn_exit("error in read_binary, maybe preliminary EOF?");
+       }
+       return ret;
 }
 
 private int

Furthermore, the maintainer Kazu Yamamoto was contacted via email.
The modified patch has been merged by him and this vulnerability is now
fixed in version 0.30.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-04-02: Vulnerability discovered
2016-04-12: Patch released by the SySS GmbH
2016-04-12: Vulnerability reported to the maintainer including patch
2016-04-13: Modified Patch merged by maintainer Kazu Yamamoto 
2016-04-15: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] GitHub repository of pgpdump
    https://github.com/kazu-yamamoto/pgpdump
[2] SySS GmbH, SYSS-2016-030
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-030.txt
[3] Pull Request on github
    https://github.com/kazu-yamamoto/pgpdump/pull/16 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Klaus Eisentraut of the SySS
GmbH.

E-Mail: klaus.eisentraut@xxxxxxx
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Eisentraut.asc
Key ID: 0xBAC677AE
Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXEM/TAAoJENqwTbW6xneubBYQAJ1bQMH8wZvSE6nrK9oZA1gP
sqGP6ik+gLPHnAu+7cJGDC4UeMaWbOIreAD3USRPH4BM2x+tkONiuD4+WC8yITne
O95M1JknhJAAXBOXw+2aFAvZZrpqufW53gL0Lx7/9Vs4cyyVuc3xs8R087RRvLD6
0+RXSUEM8IcPVmDgunlyHz77/BmNq/eQf7s3XdJPRc+1r8nQUvIfSCPtuqkC7E2K
NzsoVNA7u9YAyZwPciP+u/NI+20sWbx8IvioD3UKXhySNCUbqErcl/mAED+3FlxP
6VSAN40IDfvte1+jNaIuWJWONF3NetopUIpdXhq8j1qh9xyvN2KRzcDAkpt79qNn
1kuiZkW80HGbnAt5AsAh64UfHxOsboFfBXt/1wD4dteVpbPZ8iVzXyYci4e2o7s1
+3W5ukXQxo/35R5FSIsrzuJycrbDgr7oPZqijupHCWT4kLSGYZWrhExkHyNFmhUO
j3nVj4Nx+civPSjQNlxhSxJguZ95DGuLJH8p1yn+HAmelq1J0h3U3AQkvnQecatF
GspvF/69sfUO56y8pYyag6E2WylfKHjUKd4te5D7hvxo1vKFxxUONIqZ+wpJtMKo
GMQAIMrRMm41WGCkNZjFd/ywDIbYueWRxmrpDpiweK/3YRK8EsuctHfSad7qMaW/
E03dkOxB6DvuqAFQjLTd
=5JJp
-----END PGP SIGNATURE-----