SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Medium Risk Vulnerability in PGP Desktop


Arrow  SecurityAlert : 2203
Arrow  CVE : CVE-2007-0603
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Available : No
Arrow  Credit : NGSSoftware Insight Security Research (nisr ngssoftware com)
Arrow  Published : 02.02.2007

Arrow  Affected Software : PGP Corporate Desktop 7.x
PGP Corporate Desktop 8.x
PGP Corporate Desktop 9.x



Arrow  Advisory Content :  

Peter Winter-Smith of NGSSoftware has discovered a medium risk
vulnerability
in PGP Desktop which can allow a remote authenticated attacker to execute
arbitrary code on a system on which PGP Desktop is installed.

The vulnerability resides within the Windows Service which PGP Desktop
installs (which operates under the Local System account), and as such it
may
be used by any local or remote user (who must be a member of at least the
Everyone/ANONYMOUS LOGON groups) to run code with escalated privileges.
NGS
have not been able to exploit this issue in the context of a NULL session.

The details of this issue are as follows:

PGP Desktop installs a service (PGPServ.exe/PGPsdkServ.exe) which exposes
a
named pipe 'pipepgpserv' (or 'pipepgpsdkserv' for the PGPsdkServ.exe
instance). This pipe is the endpoint for an RPC interface
(uuid:15cd3850-28ca-11ce-a4e8-00aa006116cb) which takes the following
format:

[ uuid(15cd3850-28ca-11ce-a4e8-00aa006116cb),
version(1.0),
implicit_handle(handle_t rpc_binding)
] interface pgpsdkserv
{
error_status_t Function_00(
[in] /* [ignore] void * */ long element_1
);

typedef struct {
long element_2;
[size_is(element_2)] [unique] byte *element_3;
} TYPE_1;

error_status_t Function_01(
[in] /* [ignore] void * */ long element_4,
[in] [size_is(element_6)] byte element_5[*],
[in] long element_6,
[in] long element_7,
[out] [ref] TYPE_1 *element_8
);
}

This interface is used to marshall various objects and information between
PGP clients (PGP.dll/PGPsdk.dll) and the PGP service.

The vulnerability occurs as a result of the fact that the code responsible
for processing the objects which are passed over the interface to the
service does not perform any kind of validation on these objects, and
instead trusts that object data is completely safe in the form that it is
received (i.e., absolute pointers are trusted without validation).

NGS have discovered that if the following object is passed over the
interface as the second parameter to function ordinal 1, an absolute
pointer
is trusted and executed - easily facilitating arbitrary code execution
inside of the PGP service process:

/*

structure passed over rpc:
struct {
DWORD **pprgMM; // set as absolute pointer to dwUnknown_1
DWORD dwUnknown_1; // set as absolute pointer to 'rgMM'
DWORD dwCount; // set to value 0
DWORD dwFGUB_signature; // set to value 'FGUB'
DWORD dwUnknown_2; // set to value 'rgMM'
DWORD dwUnknown_3;
DWORD dwUnknown_4;
DWORD dwUnknown_5;
DWORD dwUnknown_6;
PBYTE pbFunction; // set to absolute address of shellcode
// etc...
};

*/

This issue has been resolved as of PGP Desktop 9.5.1 and NGS recommend
that
all users download the updated version from the PGP website:

http://www.pgp.com/

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.