pgpdump 0.29 Endless Loop

Risk: Low
Local: Yes
Remote: No

CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-030 Product: pgpdump Maintainer: Kazu Yamamoto Affected Version(s): 0.29 Tested Version(s): 0.29 Vulnerability Type: Improper Input Validation (CWE-20) Risk Level: Low Solution Status: Fixed (in 0.30) Maintainer Notification: 2016-04-12 Solution Date: 2016-04-12 Public Disclosure: 2016-04-12 CVE Reference: CVE-2016-4021 Author of Advisory: Klaus Eisentraut, SySS GmbH, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: "pgpdump" is a PGP packet visualizer which displays the packet format of OpenPGP (RFC 4880) and PGP version 2 (RFC 1991) (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When pgpdump is run on specially crafted input, a Denial-of-Service condition occurs. The program runs with 100% CPU usage for an indefinite amount of time. This can be abused in scenarios where users can supply input to pgpdump, e.g. in The SySS GmbH believes that such a scenario is rare. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The vulnerability can be reproduced by the following command: $ echo -en '\xa3\x03' | ./pgpdump Old: Compressed Data Packet(tag 8) Comp alg - BZip2(comp 3) [ ... endless loop ...] After issuing the command above, pgpdump 0.29 is running in an endless loop and consuming 100% CPU utilization. This happens because of missing error and EOF checking in the function read_binary() in the C file buffer.c. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The SySS GmbH provides the following patch which fixes the issue and was provided as pull request on [3] $ git diff origin/master HEAD diff --git a/buffer.c b/buffer.c index 2cafc57..d7de94c 100644 - --- a/buffer.c +++ b/buffer.c @@ -81,8 +81,11 @@ line_not_blank(byte *s) private int read_binary(byte *p, unsigned int max) { - - /* errno */ - - return fread(p, sizeof(byte), max, stdin); + size_t ret = fread(p, sizeof(byte), max, stdin); + if (feof(stdin) | ferror(stdin)) { + warn_exit("error in read_binary, maybe preliminary EOF?"); + } + return ret; } private int Furthermore, the maintainer Kazu Yamamoto was contacted via email. The modified patch has been merged by him and this vulnerability is now fixed in version 0.30. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-04-02: Vulnerability discovered 2016-04-12: Patch released by the SySS GmbH 2016-04-12: Vulnerability reported to the maintainer including patch 2016-04-13: Modified Patch merged by maintainer Kazu Yamamoto 2016-04-15: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] GitHub repository of pgpdump [2] SySS GmbH, SYSS-2016-030 [3] Pull Request on github ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Klaus Eisentraut of the SySS GmbH. E-Mail: Public Key: Key ID: 0xBAC677AE Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXEM/TAAoJENqwTbW6xneubBYQAJ1bQMH8wZvSE6nrK9oZA1gP sqGP6ik+gLPHnAu+7cJGDC4UeMaWbOIreAD3USRPH4BM2x+tkONiuD4+WC8yITne O95M1JknhJAAXBOXw+2aFAvZZrpqufW53gL0Lx7/9Vs4cyyVuc3xs8R087RRvLD6 0+RXSUEM8IcPVmDgunlyHz77/BmNq/eQf7s3XdJPRc+1r8nQUvIfSCPtuqkC7E2K NzsoVNA7u9YAyZwPciP+u/NI+20sWbx8IvioD3UKXhySNCUbqErcl/mAED+3FlxP 6VSAN40IDfvte1+jNaIuWJWONF3NetopUIpdXhq8j1qh9xyvN2KRzcDAkpt79qNn 1kuiZkW80HGbnAt5AsAh64UfHxOsboFfBXt/1wD4dteVpbPZ8iVzXyYci4e2o7s1 +3W5ukXQxo/35R5FSIsrzuJycrbDgr7oPZqijupHCWT4kLSGYZWrhExkHyNFmhUO j3nVj4Nx+civPSjQNlxhSxJguZ95DGuLJH8p1yn+HAmelq1J0h3U3AQkvnQecatF GspvF/69sfUO56y8pYyag6E2WylfKHjUKd4te5D7hvxo1vKFxxUONIqZ+wpJtMKo GMQAIMrRMm41WGCkNZjFd/ywDIbYueWRxmrpDpiweK/3YRK8EsuctHfSad7qMaW/ E03dkOxB6DvuqAFQjLTd =5JJp -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top