Medium Risk Vulnerability in PGP Desktop
January 26th, 2007Peter Winter-Smith of NGSSoftware has discovered a medium risk vulnerability in PGP Desktop which can allow a remote authenticated attacker to execute arbitrary code on a system on which PGP Desktop is installed.
The vulnerability resides within the Windows Service which PGP Desktop installs (which operates under the Local System account), and as such it may be used by any local or remote user (who must be a member of at least the Everyone/ANONYMOUS LOGON groups) to run code with escalated privileges. NGSSoftware have not been able to exploit this issue in the context of a NULL session.
The details of this issue are as follows:
PGP Desktop installs a service (PGPServ.exe/PGPsdkServ.exe) which exposes a named pipe ‘\pipe\pgpserv’ (or ‘\pipe\pgpsdkserv’ for the PGPsdkServ.exe instance). This pipe is the endpoint for an RPC interface (uuid:15cd3850-28ca-11ce-a4e8-00aa006116cb) which takes the following format:
[ uuid(15cd3850-28ca-11ce-a4e8-00aa006116cb),
version(1.0),
implicit_handle(handle_t rpc_binding)
] interface pgpsdkserv
{
error_status_t Function_00(
[in] /* [ignore] void * */ long element_1
);
typedef struct {
long element_2;
[size_is(element_2)] [unique] byte *element_3;
} TYPE_1;
error_status_t Function_01(
[in] /* [ignore] void * */ long element_4,
[in] [size_is(element_6)] byte element_5[*],
[in] long element_6,
[in] long element_7,
[out] [ref] TYPE_1 *element_8
);
}
This interface is used to marshall various objects and information between PGP clients (PGP.dll/PGPsdk.dll) and the PGP service.
The vulnerability occurs as a result of the fact that the code responsible for processing the objects which are passed over the interface to the service does not perform any kind of validation on these objects, and instead trusts that object data is completely safe in the form that it is received (i.e., absolute pointers are trusted without validation).
NGSSoftware have discovered that if the following object is passed over the interface as the second parameter to function ordinal 1, an absolute pointer is trusted and executed - easily facilitating arbitrary code execution inside of the PGP service process:
/*
structure passed over rpc:
struct {
DWORD **pprgMM; // set as absolute pointer to dwUnknown_1
DWORD dwUnknown_1; // set as absolute pointer to ‘rgMM’
DWORD dwCount; // set to value 0
DWORD dwFGUB_signature; // set to value ‘FGUB’
DWORD dwUnknown_2; // set to value ‘rgMM’
DWORD dwUnknown_3;
DWORD dwUnknown_4;
DWORD dwUnknown_5;
DWORD dwUnknown_6;
PBYTE pbFunction; // set to absolute address of shellcode
// etc…
};
*/
This issue has been resolved as of PGP Desktop 9.5.1 and NGSSoftware recommends that all users download the updated version from the PGP website:
NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
