PGP远程缓冲区溢出及口令泄露漏洞

漏洞信息详情

PGP远程缓冲区溢出及口令泄露漏洞

• CNNVD编号：CNNVD-200210-155
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2002-0850
  
• 漏洞类型：
  
  
  未知
  
• 发布时间：
  
  2002-09-04
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2006-09-22
  
• 厂        商：
  
  pgp
• 漏洞来源：
  Foundstone Labs※ l…

PGP(Pretty Good Privacy)是一款由Network Associates维护的加密应用程序，可使用在多种Linux、Unix和Microsoft Windows操作系统下。
PGP对长文件名缺少正确检查，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击者，导致以当前用户权限执行任意指令或者导致口令泄露。
PGP在加密或者解密一个带有超长文件名的文件时，可导致PGP崩溃，远程攻击者可以建立一个加密文件，发送给目标用户，当用户使用PGP处理时可能导致以用户进程的权限在系统上执行任意指令。
攻击者可以构建类似如下的文件名：
＜196 bytes＞＜eip＞＜9 bytes＞＜可读地址＞＜29 bytes＞
然后攻击者使用目标用户的公钥加密文件。在多数情况下，公钥一般包含使用PGP客户端软件的banner信息和相关的版本，这表示攻击者可以容易从PGP KEY服务器上找到受此漏洞影响的用户。
加密的档案可以通过Outlook附件形式发给目标用户，当用户打开长文件名的时候可导致缓冲区溢出发生。
在部分情况下，攻击者也可以在PGP被加密的恶意文件破坏后及在包含口令的内存被覆盖之前获得目标用户的口令。

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 暂时不要使用PGP加密文件。
厂商补丁：
Network Associates
——————
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

Network Associates PGP 5.0 i:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 5.0:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 5.5.3 i for Windows:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 5.5.5:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 6.0.2 i:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 6.0.2:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 6.5.1 i:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 6.5.3 i for Windows:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 6.5.3:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 6.5.8:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 7.0:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP Freeware 7.0.3:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 7.0.3:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 7.0.4:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP Corporate Desktop 7.1:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 7.1:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP Corporate Desktop 7.1.1:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

Network Associates PGP 7.1.1:

Network Associates Hotfix PGPhotfix_OutlookLFN_20020828.zip

http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip” target=”_blank”>
http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/PGPhotfix_OutlookLFN_20020828.zip

来源: BID
名称: 5656
链接:http://www.securityfocus.com/bid/5656

来源: XF
名称: pgp-long-filename-bo(10043)
链接:http://xforce.iss.net/xforce/xfdb/10043

来源: BUGTRAQ
名称: 20020906 Foundstone Labs Advisory – Remotely Exploitable Buffer Overflow in PGP
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103133995920090&w=2

来源: download.nai.com
链接:http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/ReadMe.txt

来源: VULNWATCH
名称: 20020905 Foundstone Labs Advisory – Remotely Exploitable Buffer Overflow in PGP
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0106.html