Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING
From: thesinoda@xxxxxxxxxxx
Date: 27 May 2006 17:00:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

This to answer Mr Jon Callas (PGP CTO) and to show him the last 
proof-of-concept. If he did not get it we consider we have done our part to 
report a BIG problem in PGP unless this is some kinda of HIDDEN features.

--Adonis, Abed Comments--
We do not agree with some of PGP comments. 

We do not know why they just see one side of the coin.

What if you had  created a virtual disk  and give that to  someone. That someone
use it as his/her own disk and  decided to change the password because they  own
the disk  now (You  give them  to them  with the  pass). So  they did change the
passowrd, but the originator  can still access that  disk if he/she replace  the
passphrase  bytes in  the binary  file. So  I consider  this an  attack on  data
INTEGRITY and  data AVAILABILITY since the legitimate user will be denied access
to the disk after replacing the passphrase bytes.

"why you do not want to see that your password verification can be simply 
bypassed, besides a reputable co. like PGP should at least put anti-debugging 
tweaks, or even encrypt/hide the passphrase location"

To pgp, your authentication can be bypassed, even if you have created two
different .sda file with two different content. the authentication can be
overwritten and the file can be extracted if you use a debugger if you do not
use a debugger you will be able to just bypass the authentication but without
extraction. why don't you see that mr. jon? instead of bitching and stuff? why
cannot you be professional and just explain fact after you do your home work
with a nice debugger.? is that to much asking, I think we are talking among
human and adults no?.

We think Mr. Jon (PGP) should play this flash video SLOW REAL SLOW.

http://www.safehack.com/Advisory/pgp/answerjon.html

PGP comments: http://www.securityfocus.com/archive/1/435155 

Quote from Mr Jon comments: "For completeness, I'll note that we are discussing
whether we should add in a warning dialog to the passphrase change on a PGP
Disk, to tell the user that an attacker who has learned an old passphrase, has
an old disk and a hex editor can patch the disk so that it can be opened. On the
one hand, this might be a good thing to do". 

So if Mr Jon does not see the problem why they are talking about adding a
message box?. Why the passphrase location is not hidden? etc. I still see this
as INTEGRITY and AVAILABILITY attacks on PGP. I do not think it is normal
behavior of an encryption application to reveal it is passphrase location and I
do not see bypassing the passphrase dialog-box as Feature either.

 

Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING THE 
BINARY FILE EVEN.

This Flash video is dedicated to Mr. Jon Callas (PGP CTO, CSO).
http://www.safehack.com/Advisory/pgp/proof_of_concept_PGP_Authentication_BYPASS.html
http://www.safehack.com/Advisory/pgp/proof_of_concept_PGP_Authentication_BYPASS.html

We had reported that PGP Authentication can be bypassed by patching the binary 
file. After reading Mr. Jon Callas NON PROFESSIONAL answer, me and abed decided 
to show him that is not true. By using a SIMPLE Debugger PGP Authentication can 
be bypassed.

Here is Mr Jon Callas Comments http://www.securityfocus.com/archive/1/435155 
Summing up, we are disappointed that for whatever reasons, we were not 
contacted 
about this research before it was put on the web and posted on bugtraq. Had we 
been contacted, we could discuss this in private rather than have to air the 
details of this misunderstanding in a public forum. I am truly sorry for the 
sake of the Information Security Institute of Quebec and its staff that this 
complex issue has turned into a public brouhaha.

We load the file in the debugger and set the break points then we start by 
hitting F9 we will see the password dialog we enter ANY password here. When it 
stop at 00409797 Hit F9 6 times You see 

on 00405D70 |. E8 4FFBFFFF CALL a_sda.004058C4
we hit 6 times F9
A break point should be set on 00405D70 to see this.

After running the sda in olly we end up here. We hit F9 couples of time then we 
change ESI EDI
ON 00409797 |. F3:A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>; 

We see the stack values
ECX=00000002 (decimal 2.)
DS:[ESI]=stack [00BBF68C]=DC3F5C82 <-- IF WE ENTER A BAD PASSWORD THESE WONT BE 
THE SAME
ES:[EDI]=stack [00BBFF98]=DC3F5C82 EQUAL... WE JUST MAKE THEM EQUAL THEN 
CONTINUE THE QUEST. 

AT THIS POINT PGP Authentication is bypassed.

I hope that help Mr. Jon (PGP) seeing the problem. Again Mr Jon Bitching does 
not help you fixing your products.

-- End Comment--


Peace

Follow-Ups:
- Re: Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING
  - From: Andreas Beck

Prev by Date: Re: On the Recent PGP and Truecrypt Posting
Next by Date: RE: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt.
Previous by thread: D-Link DSA-3100 Cross-Site Scripting
Next by thread: Re: Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING
Index(es):
- Date
- Thread