diff options
Diffstat (limited to 'docs/NOTES-python-gnupg-3.1-audit.html')
-rw-r--r-- | docs/NOTES-python-gnupg-3.1-audit.html | 946 |
1 files changed, 946 insertions, 0 deletions
diff --git a/docs/NOTES-python-gnupg-3.1-audit.html b/docs/NOTES-python-gnupg-3.1-audit.html new file mode 100644 index 0000000..fbd6e0d --- /dev/null +++ b/docs/NOTES-python-gnupg-3.1-audit.html @@ -0,0 +1,946 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> +<head> +<title>python-gnupg audit</title> +<meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1"/> +<meta name="title" content="python-gnupg audit"/> +<meta name="generator" content="Org-mode"/> +<meta name="generated" content="2013-02-01 Fri"/> +<meta name="author" content="isis"/> +<meta name="description" content=""/> +<meta name="keywords" content=""/> +<style type="text/css"> + <!--/*--><![CDATA[/*><!--*/ + html { font-family: Times, serif; font-size: 12pt; } + .title { text-align: center; } + .todo { color: red; } + .done { color: green; } + .tag { background-color: #add8e6; font-weight:normal } + .target { } + .timestamp { color: #bebebe; } + .timestamp-kwd { color: #5f9ea0; } + .right {margin-left:auto; margin-right:0px; text-align:right;} + .left {margin-left:0px; margin-right:auto; text-align:left;} + .center {margin-left:auto; margin-right:auto; text-align:center;} + p.verse { margin-left: 3% } + pre { + border: 1pt solid #AEBDCC; + background-color: #F3F5F7; + padding: 5pt; + font-family: courier, monospace; + font-size: 90%; + overflow:auto; + } + table { border-collapse: collapse; } + td, th { vertical-align: top; } + th.right { text-align:center; } + th.left { text-align:center; } + th.center { text-align:center; } + td.right { text-align:right; } + td.left { text-align:left; } + td.center { text-align:center; } + dt { font-weight: bold; } + div.figure { padding: 0.5em; } + div.figure p { text-align: center; } + div.inlinetask { + padding:10px; + border:2px solid gray; + margin:10px; + background: #ffffcc; + } + textarea { overflow-x: auto; } + .linenr { font-size:smaller } + .code-highlighted {background-color:#ffff00;} + .org-info-js_info-navigation { border-style:none; } + #org-info-js_console-label { font-size:10px; font-weight:bold; + white-space:nowrap; } + .org-info-js_search-highlight {background-color:#ffff00; color:#000000; + font-weight:bold; } + /*]]>*/--> +</style> +<script type="text/javascript"> +/* +@licstart The following is the entire license notice for the +JavaScript code in this tag. + +Copyright (C) 2012 Free Software Foundation, Inc. + +The JavaScript code in this tag is free software: you can +redistribute it and/or modify it under the terms of the GNU +General Public License (GNU GPL) as published by the Free Software +Foundation, either version 3 of the License, or (at your option) +any later version. The code is distributed WITHOUT ANY WARRANTY; +without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. + +As additional permission under GNU GPL version 3 section 7, you +may distribute non-source (e.g., minimized or compacted) forms of +that code without the copy of the GNU GPL normally required by +section 4, provided you include this license notice and a URL +through which recipients can access the Corresponding Source. + + +@licend The above is the entire license notice +for the JavaScript code in this tag. +*/ +<!--/*--><![CDATA[/*><!--*/ + function CodeHighlightOn(elem, id) + { + var target = document.getElementById(id); + if(null != target) { + elem.cacheClassElem = elem.className; + elem.cacheClassTarget = target.className; + target.className = "code-highlighted"; + elem.className = "code-highlighted"; + } + } + function CodeHighlightOff(elem, id) + { + var target = document.getElementById(id); + if(elem.cacheClassElem) + elem.className = elem.cacheClassElem; + if(elem.cacheClassTarget) + target.className = elem.cacheClassTarget; + } +/*]]>*///--> +</script> + +</head> +<body> + +<div id="preamble"> + +</div> + +<div id="content"> +<h1 class="title">python-gnupg audit</h1> + +<p> <span class="timestamp-wrapper"> <span class="timestamp">2013-02-01 Fri</span></span><br/> +</p> + +<div id="table-of-contents"> +<h2>Table of Contents</h2> +<div id="text-table-of-contents"> +<ul> +<li><a href="#sec-1">1 gnugp._<sub>main</sub>_<sub>()</sub></a> +<ul> +<li><a href="#sec-1-1">1.1 comments</a></li> +<li><a href="#sec-1-2">1.2 def <sub>copy</sub><sub>data</sub>(instream, outstream)</a> +<ul> +<li><a href="#sec-1-2-1">1.2.1 L79:</a></li> +<li><a href="#sec-1-2-2">1.2.2 L78:</a></li> +<li><a href="#sec-1-2-3">1.2.3 L88:</a></li> +</ul> +</li> +<li><a href="#sec-1-3">1.3 def <sub>threaded</sub><sub>copy</sub><sub>data</sub>(instream, outstream):</a> +<ul> +<li><a href="#sec-1-3-1">1.3.1 L99:</a></li> +</ul> +</li> +<li><a href="#sec-1-4">1.4 def <sub>write</sub><sub>passphrase</sub>(stream, passphrase, encoding):</a> +<ul> +<li><a href="#sec-1-4-1">1.4.1 L110:</a></li> +</ul></li> +</ul> +</li> +<li><a href="#sec-2">2 class Verify(object)</a></li> +<li><a href="#sec-3">3 class ImportResult(object)</a></li> +<li><a href="#sec-4">4 class ListKeys(list):</a></li> +<li><a href="#sec-5">5 class Crypt(Verify):</a> +<ul> +<li><a href="#sec-5-1">5.1 def _<sub>init</sub>_<sub>(self, gpg)</sub></a> +<ul> +<li><a href="#sec-5-1-1">5.1.1 L338</a></li> +</ul></li> +</ul> +</li> +<li><a href="#sec-6">6 class GenKey(object)</a></li> +<li><a href="#sec-7">7 class DeleteResult(object)</a></li> +<li><a href="#sec-8">8 class Sign(object)</a></li> +<li><a href="#sec-9">9 class GPG(object)</a> +<ul> +<li> +<ul> +<li><a href="#sec-9-1">9.1 L474:</a></li> +</ul> +</li> +<li><a href="#sec-9-1">9.1 def _<sub>init</sub>_<sub>(self, gpgbinary='gpg', gnupghome=None, verbose=False, use<sub>agent</sub>=False, keyring=None)</sub></a> +<ul> +<li><a href="#sec-9-1-1">9.1.1 L494-495:</a></li> +</ul> +</li> +<li><a href="#sec-9-2">9.2 def <sub>open</sub><sub>subprocess</sub>(self, args, passphrase=False)</a> +<ul> +<li><a href="#sec-9-2-1">9.2.1 L515:</a></li> +</ul> +</li> +<li><a href="#sec-9-3">9.3 def <sub>collect</sub><sub>output</sub>(self, process, result, writer=None, stdin=None)</a></li> +<li><a href="#sec-9-4">9.4 def <sub>handle</sub><sub>io</sub>(self, args, file, result, passphrase=None, binary=False)</a> +<ul> +<li><a href="#sec-9-4-1">9.4.1 L601:</a></li> +</ul> +</li> +<li><a href="#sec-9-5">9.5 def sign(self, message, **kwargs)</a> +<ul> +<li><a href="#sec-9-5-1">9.5.1 L617-619:</a></li> +</ul> +</li> +<li><a href="#sec-9-6">9.6 def sign<sub>file</sub>(self, file, keyid=None, passphrase=None, clearsign=True, detach=False, binary=False)</a> +<ul> +<li><a href="#sec-9-6-1">9.6.1 L632-635:</a></li> +<li><a href="#sec-9-6-2">9.6.2 L626-641:</a></li> +</ul> +</li> +<li><a href="#sec-9-7">9.7 def verify(self, data):</a> +<ul> +<li><a href="#sec-9-7-1">9.7.1 L668-670:</a></li> +</ul> +</li> +<li><a href="#sec-9-8">9.8 def verify<sub>file</sub>(self, file, data<sub>filename</sub>=None)</a> +<ul> +<li><a href="#sec-9-8-1">9.8.1 L683:</a></li> +<li><a href="#sec-9-8-2">9.8.2 L684:</a></li> +<li><a href="#sec-9-8-3">9.8.3 L690:</a></li> +</ul> +</li> +<li><a href="#sec-9-9">9.9 def import<sub>keys</sub>(self, key<sub>data</sub>)</a> +<ul> +<li><a href="#sec-9-9-1">9.9.1 L749:</a></li> +</ul> +</li> +<li><a href="#sec-9-10">9.10 def recieve<sub>keys</sub>(self, keyserver, *keyids)</a> +<ul> +<li><a href="#sec-9-10-1">9.10.1 L770:</a></li> +</ul> +</li> +<li><a href="#sec-9-11">9.11 def export<sub>keys</sub>(self, keyids, secret=False)</a> +<ul> +<li><a href="#sec-9-11-1">9.11.1 L795-796:</a></li> +</ul> +</li> +<li><a href="#sec-9-12">9.12 def list<sub>keys</sub>(self, secret=False)</a> +<ul> +<li><a href="#sec-9-12-1">9.12.1 L827:</a></li> +</ul> +</li> +<li><a href="#sec-9-13">9.13 def gen<sub>key</sub>(self, input)</a> +<ul> +<li><a href="#sec-9-13-1">9.13.1 L864:</a></li> +</ul> +</li> +<li><a href="#sec-9-14">9.14 def gen<sub>key</sub><sub>input</sub>(self, **kwargs)</a> +<ul> +<li><a href="#sec-9-14-1">9.14.1 L981-983:</a></li> +</ul> +</li> +<li><a href="#sec-9-15">9.15 def encrypt<sub>file</sub>(self, file, recipiencts, sign=None, …)</a> +<ul> +<li><a href="#sec-9-15-1">9.15.1 L939:</a></li> +</ul> +</li> +<li><a href="#sec-9-16">9.16 def encrypt(self, data, recipients, **kwargs):</a> +<ul> +<li><a href="#sec-9-16-1">9.16.1 L997:</a></li> +</ul> +</li> +<li><a href="#sec-9-17">9.17 def decrypt(self, message **kwargs):</a> +<ul> +<li><a href="#sec-9-17-1">9.17.1 L1003:</a></li> +</ul> +</li> +<li><a href="#sec-9-18">9.18 def decrypt<sub>file</sub>(self, file, always<sub>trust</sub>=False, passphrase=None, output=None)</a> +<ul> +<li><a href="#sec-9-18-1">9.18.1 L1013:</a></li> +</ul></li> +</ul> +</li> +<li><a href="#sec-10">10 POC</a></li> +</ul> +</div> +</div> + +<div id="outline-container-1" class="outline-2"> +<h2 id="sec-1"><span class="section-number-2">1</span> gnugp._<sub>main</sub>_<sub>()</sub></h2> +<div class="outline-text-2" id="text-1"> + + +</div> + +<div id="outline-container-1-1" class="outline-3"> +<h3 id="sec-1-1"><span class="section-number-3">1.1</span> comments</h3> +<div class="outline-text-3" id="text-1-1"> + +<p>L58 NullHandler?? see self.<sub>write</sub><sub>passphrase</sub> +L61 there nifty check for p3k +</p></div> + +</div> + +<div id="outline-container-1-2" class="outline-3"> +<h3 id="sec-1-2"><span class="section-number-3">1.2</span> def <sub>copy</sub><sub>data</sub>(instream, outstream) <span class="tag"><span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-1-2"> + +<p> copies data from one stream to another, 1024 bytes at a time. +</p> +</div> + +<div id="outline-container-1-2-1" class="outline-4"> +<h4 id="sec-1-2-1"><span class="section-number-4">1.2.1</span> L79: <span class="tag"><span class="bad_logic">bad_logic</span></span></h4> +<div class="outline-text-4" id="text-1-2-1"> + +<p> instream is apparently a file descriptor, but is not checked nor + encased in a try/except block. +</p> +</div> + +</div> + +<div id="outline-container-1-2-2" class="outline-4"> +<h4 id="sec-1-2-2"><span class="section-number-4">1.2.2</span> L78: <span class="tag"><span class="hanging_fd">hanging_fd</span> <span class="bad_logic">bad_logic</span></span></h4> +<div class="outline-text-4" id="text-1-2-2"> + +<p> while True: loop, should be +</p><pre class="example"> +with open(instream) as instrm: +</pre> + +</div> + +</div> + +<div id="outline-container-1-2-3" class="outline-4"> +<h4 id="sec-1-2-3"><span class="section-number-4">1.2.3</span> L88: <span class="tag"><span class="bad_exception_handling">bad_exception_handling</span></span></h4> +<div class="outline-text-4" id="text-1-2-3"> + +<pre class="example"> +except: +</pre> + +<p> should catch an IOError, or whatever specific error is raised for broken + pipes. +</p></div> +</div> + +</div> + +<div id="outline-container-1-3" class="outline-3"> +<h3 id="sec-1-3"><span class="section-number-3">1.3</span> def <sub>threaded</sub><sub>copy</sub><sub>data</sub>(instream, outstream):</h3> +<div class="outline-text-3" id="text-1-3"> + + +</div> + +<div id="outline-container-1-3-1" class="outline-4"> +<h4 id="sec-1-3-1"><span class="section-number-4">1.3.1</span> L99:</h4> +<div class="outline-text-4" id="text-1-3-1"> + +<p> this just wraps self.<sub>copy</sub><sub>data</sub> in a thread +</p></div> +</div> + +</div> + +<div id="outline-container-1-4" class="outline-3"> +<h3 id="sec-1-4"><span class="section-number-3">1.4</span> def <sub>write</sub><sub>passphrase</sub>(stream, passphrase, encoding): <span class="tag"><span class="vuln">vuln</span> <span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-1-4"> + + +</div> + +<div id="outline-container-1-4-1" class="outline-4"> +<h4 id="sec-1-4-1"><span class="section-number-4">1.4.1</span> L110: <span class="tag"><span class="writes_passphrase_to_disk">writes_passphrase_to_disk</span></span></h4> +<div class="outline-text-4" id="text-1-4-1"> + +<p> logger writes passphrase into debug log. this should be patched. +</p></div> +</div> +</div> + +</div> + +<div id="outline-container-2" class="outline-2"> +<h2 id="sec-2"><span class="section-number-2">2</span> class Verify(object)</h2> +<div class="outline-text-2" id="text-2"> + +<p> basic parsing class, no errors found +</p></div> + +</div> + +<div id="outline-container-3" class="outline-2"> +<h2 id="sec-3"><span class="section-number-2">3</span> class ImportResult(object)</h2> +<div class="outline-text-2" id="text-3"> + +<p> basic parsing class, no errors found +</p></div> + +</div> + +<div id="outline-container-4" class="outline-2"> +<h2 id="sec-4"><span class="section-number-2">4</span> class ListKeys(list):</h2> +<div class="outline-text-2" id="text-4"> + +<p> basic parsing class, no errors found +</p></div> + +</div> + +<div id="outline-container-5" class="outline-2"> +<h2 id="sec-5"><span class="section-number-2">5</span> class Crypt(Verify):</h2> +<div class="outline-text-2" id="text-5"> + +<p> basic parsing class, no errors found +</p> +</div> + +<div id="outline-container-5-1" class="outline-3"> +<h3 id="sec-5-1"><span class="section-number-3">5.1</span> def _<sub>init</sub>_<sub>(self, gpg)</sub> <span class="tag"><span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-5-1"> + + +</div> + +<div id="outline-container-5-1-1" class="outline-4"> +<h4 id="sec-5-1-1"><span class="section-number-4">5.1.1</span> L338 <span class="tag"><span class="mro_conflict">mro_conflict</span></span></h4> +<div class="outline-text-4" id="text-5-1-1"> + + + + + +<pre class="src src-python">Verify.__init__(<span style="color: #00cdcd; font-weight: bold;">self</span>,gpg) +</pre> + + +<p> + should be changed to: +</p> + + + +<pre class="src src-python"><span style="color: #0000ee; font-weight: bold;">super</span>(Verify, <span style="color: #00cdcd; font-weight: bold;">self</span>).__init__(gpg) +</pre> + +</div> +</div> +</div> + +</div> + +<div id="outline-container-6" class="outline-2"> +<h2 id="sec-6"><span class="section-number-2">6</span> class GenKey(object)</h2> +<div class="outline-text-2" id="text-6"> + +<p> basic parsing class, no errors found +</p></div> + +</div> + +<div id="outline-container-7" class="outline-2"> +<h2 id="sec-7"><span class="section-number-2">7</span> class DeleteResult(object)</h2> +<div class="outline-text-2" id="text-7"> + +<p> basic parsing class, no errors found +</p></div> + +</div> + +<div id="outline-container-8" class="outline-2"> +<h2 id="sec-8"><span class="section-number-2">8</span> class Sign(object)</h2> +<div class="outline-text-2" id="text-8"> + +<p> basic parsing class, no errors found +</p></div> + +</div> + +<div id="outline-container-9" class="outline-2"> +<h2 id="sec-9"><span class="section-number-2">9</span> class GPG(object) <span class="tag"><span class="exploitable">exploitable</span></span></h2> +<div class="outline-text-2" id="text-9"> + + +</div> + +<div id="outline-container-9-1" class="outline-4"> +<h4 id="sec-9-1"><span class="section-number-4">9.1</span> L474: <span class="tag"><span class="cleanup">cleanup</span></span></h4> +<div class="outline-text-4" id="text-9-1"> + +<pre class="example"> +cls.__doc__ +</pre> + +<p> should go directly underneath class signature +</p></div> + +</div> + +<div id="outline-container-9-1" class="outline-3"> +<h3 id="sec-9-1"><span class="section-number-3">9.1</span> def _<sub>init</sub>_<sub>(self, gpgbinary='gpg', gnupghome=None, verbose=False, use<sub>agent</sub>=False, keyring=None)</sub> <span class="tag"><span class="bug">bug</span></span></h3> +<div class="outline-text-3" id="text-9-1"> + + +</div> + +<div id="outline-container-9-1-1" class="outline-4"> +<h4 id="sec-9-1-1"><span class="section-number-4">9.1.1</span> L494-495: <span class="tag"><span class="type_error">type_error</span></span></h4> +<div class="outline-text-4" id="text-9-1-1"> + + + + + +<pre class="src src-python"><span style="color: #00cdcd; font-weight: bold;">if</span> gnupghome <span style="color: #00cdcd; font-weight: bold;">and</span> <span style="color: #00cdcd; font-weight: bold;">not</span> os.path.isdir(<span style="color: #00cdcd; font-weight: bold;">self</span>.gnupghome): + os.makedirs(<span style="color: #00cdcd; font-weight: bold;">self</span>.gnupghome,0x1C0) +</pre> + + + +<pre class="example">In [20]: os.makedirs? +Type: function +String Form:<function makedirs at 0x7f8ddeb6cc08> +File: /usr/lib/python2.7/os.py +Definition: os.makedirs(name, mode=511) +Docstring: +makedirs(path [, mode=0777]) +Super-mkdir; create a leaf directory and all intermediate ones. +Works like mkdir, except that any intermediate path segment (not +just the rightmost) will be created if it does not exist. This is +recursive. + +setting mode=0x1c0 is equivalent to mode=hex(0700), which +may cause bugs on some systems, see +http://ubuntuforums.org/showthread.php?t=2044879 + +this could be do to the complete lack of input validation in +os.makedirs, and it's calling of the os.mkdir() built-in, which +may vary depending on the python compilation: +</pre> + + + +<pre class="src src-python">Source: +<span style="color: #00cdcd; font-weight: bold;">def</span> <span style="color: #0000ee; font-weight: bold;">makedirs</span>(name, mode=0777): + <span style="color: #00cd00;">"""makedirs(path [, mode=0777])</span> + +<span style="color: #00cd00;"> Super-mkdir; create a leaf directory and all intermediate ones.</span> +<span style="color: #00cd00;"> Works like mkdir, except that any intermediate path segment (not</span> +<span style="color: #00cd00;"> just the rightmost) will be created if it does not exist. This is</span> +<span style="color: #00cd00;"> recursive.</span> +<span style="color: #00cd00;"> """</span> + <span style="color: #cdcd00;">head</span>, <span style="color: #cdcd00;">tail</span> = path.split(name) + <span style="color: #00cdcd; font-weight: bold;">if</span> <span style="color: #00cdcd; font-weight: bold;">not</span> tail: + <span style="color: #cdcd00;">head</span>, <span style="color: #cdcd00;">tail</span> = path.split(head) + <span style="color: #00cdcd; font-weight: bold;">if</span> head <span style="color: #00cdcd; font-weight: bold;">and</span> tail <span style="color: #00cdcd; font-weight: bold;">and</span> <span style="color: #00cdcd; font-weight: bold;">not</span> path.exists(head): + <span style="color: #00cdcd; font-weight: bold;">try</span>: + makedirs(head, mode) + <span style="color: #00cdcd; font-weight: bold;">except</span> <span style="color: #00cd00;">OSError</span>, e: + <span style="color: #cdcd00;"># </span><span style="color: #cdcd00;">be happy if someone already created the path</span> + <span style="color: #00cdcd; font-weight: bold;">if</span> e.errno != errno.EEXIST: + <span style="color: #00cdcd; font-weight: bold;">raise</span> + <span style="color: #00cdcd; font-weight: bold;">if</span> tail == curdir: <span style="color: #cdcd00;"># </span><span style="color: #cdcd00;">xxx/newdir/. exists if xxx/newdir exists</span> + <span style="color: #00cdcd; font-weight: bold;">return</span> + mkdir(name, mode) +</pre> + + +</div> +</div> + +</div> + +<div id="outline-container-9-2" class="outline-3"> +<h3 id="sec-9-2"><span class="section-number-3">9.2</span> def <sub>open</sub><sub>subprocess</sub>(self, args, passphrase=False) <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-2"> + + +</div> + +<div id="outline-container-9-2-1" class="outline-4"> +<h4 id="sec-9-2-1"><span class="section-number-4">9.2.1</span> L515: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-2-1"> + +<pre class="example"> +cmd.extend(args) +</pre> + + +<p> + cmd is a list of strings, eventually joined with cmd=' '.join(cmd), and + the args are unvalidated in this function. Then this concatenation of args + is fed directly into subprocess.Popen(cmd, shell=True, stdin=PIPE, + stdout=PIPE, stderr=PIPE). THIS SHOULD BE PATCHED. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-3" class="outline-3"> +<h3 id="sec-9-3"><span class="section-number-3">9.3</span> def <sub>collect</sub><sub>output</sub>(self, process, result, writer=None, stdin=None)</h3> +<div class="outline-text-3" id="text-9-3"> + +<p> sends stdout to self.<sub>read</sub><sub>data</sub>() and stderr to self.<sub>read</sub><sub>response</sub>() +</p> +</div> + +</div> + +<div id="outline-container-9-4" class="outline-3"> +<h3 id="sec-9-4"><span class="section-number-3">9.4</span> def <sub>handle</sub><sub>io</sub>(self, args, file, result, passphrase=None, binary=False) <span class="tag"><span class="vuln">vuln</span> <span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-9-4"> + + +</div> + +<div id="outline-container-9-4-1" class="outline-4"> +<h4 id="sec-9-4-1"><span class="section-number-4">9.4.1</span> L601: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span> <span class="type_check_in_call">type_check_in_call</span></span></h4> +<div class="outline-text-4" id="text-9-4-1"> + +<pre class="example"> +p = self._open_subprocess(args, passphrase is not None) +</pre> + + +<p> + you shouldn't assign or type check in a function call +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-5" class="outline-3"> +<h3 id="sec-9-5"><span class="section-number-3">9.5</span> def sign(self, message, **kwargs) <span class="tag"><span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-9-5"> + + +</div> + +<div id="outline-container-9-5-1" class="outline-4"> +<h4 id="sec-9-5-1"><span class="section-number-4">9.5.1</span> L617-619: <span class="tag"><span class="hanging_fd">hanging_fd</span></span></h4> +<div class="outline-text-4" id="text-9-5-1"> + +<p> calls self.<sub>make</sub><sub>binary</sub><sub>stream</sub>(), which leaves the file descriptor for + the encoded message to be encrypted hanging between scopes. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-6" class="outline-3"> +<h3 id="sec-9-6"><span class="section-number-3">9.6</span> def sign<sub>file</sub>(self, file, keyid=None, passphrase=None, clearsign=True, detach=False, binary=False) <span class="tag"><span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-9-6"> + + +</div> + +<div id="outline-container-9-6-1" class="outline-4"> +<h4 id="sec-9-6-1"><span class="section-number-4">9.6.1</span> L632-635: <span class="tag"><span class="bad_logic">bad_logic</span></span></h4> +<div class="outline-text-4" id="text-9-6-1"> + + + + +<pre class="src src-python"><span style="color: #00cdcd; font-weight: bold;">if</span> detach: + args.append(<span style="color: #00cd00;">"--detach-sign"</span>) +<span style="color: #00cdcd; font-weight: bold;">elif</span> clearsign: + args.append(<span style="color: #00cd00;">"--clearsign"</span>) +</pre> + + +<p> + the logic here allows that if a user erroneously specifies both options, + rather than doing what the system gnupg would do (that is, do –clearsign, + and ignore the –attach-sign), python-gnupg would ignore both. +</p> +</div> + +</div> + +<div id="outline-container-9-6-2" class="outline-4"> +<h4 id="sec-9-6-2"><span class="section-number-4">9.6.2</span> L626-641:</h4> +<div class="outline-text-4" id="text-9-6-2"> + +<p> input 'args' into self.<sub>open</sub><sub>subprocess</sub>() is defined as static strings. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-7" class="outline-3"> +<h3 id="sec-9-7"><span class="section-number-3">9.7</span> def verify(self, data): <span class="tag"><span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-9-7"> + + +</div> + +<div id="outline-container-9-7-1" class="outline-4"> +<h4 id="sec-9-7-1"><span class="section-number-4">9.7.1</span> L668-670: <span class="tag"><span class="hanging_fd">hanging_fd</span></span></h4> +<div class="outline-text-4" id="text-9-7-1"> + +<p> same hanging file descriptor problem as in self.sign() +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-8" class="outline-3"> +<h3 id="sec-9-8"><span class="section-number-3">9.8</span> def verify<sub>file</sub>(self, file, data<sub>filename</sub>=None) <span class="tag"><span class="vuln">vuln</span> <span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-9-8"> + + +</div> + +<div id="outline-container-9-8-1" class="outline-4"> +<h4 id="sec-9-8-1"><span class="section-number-4">9.8.1</span> L683: <span class="tag"><span class="hanging_fd">hanging_fd</span></span></h4> +<div class="outline-text-4" id="text-9-8-1"> + +<p> more potentially hanging file descriptors… +</p></div> + +</div> + +<div id="outline-container-9-8-2" class="outline-4"> +<h4 id="sec-9-8-2"><span class="section-number-4">9.8.2</span> L684: <span class="tag"><span class="hanging_fd">hanging_fd</span></span></h4> +<div class="outline-text-4" id="text-9-8-2"> + +<p> oh look, another hanging file descriptor. imagine that. +</p></div> + +</div> + +<div id="outline-container-9-8-3" class="outline-4"> +<h4 id="sec-9-8-3"><span class="section-number-4">9.8.3</span> L690: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-8-3"> + +<pre class="example"> +args.append('"%s"' % data_filename) +</pre> + +<p> well, there's the exploit. see included POC script. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-9" class="outline-3"> +<h3 id="sec-9-9"><span class="section-number-3">9.9</span> def import<sub>keys</sub>(self, key<sub>data</sub>) <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-9"> + + +</div> + +<div id="outline-container-9-9-1" class="outline-4"> +<h4 id="sec-9-9-1"><span class="section-number-4">9.9.1</span> L749: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-9-1"> + +<p> this function could potentially allow an attacker with a GPG exploit to + use it, because it passes key generation parameter directly into the + internal packet parsers of GPG. however, without a GPG exploit for one of + the GPG packet parsers (for explanation of GPG packets look into pgpdump), + this function alone is not exploitable. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-10" class="outline-3"> +<h3 id="sec-9-10"><span class="section-number-3">9.10</span> def recieve<sub>keys</sub>(self, keyserver, *keyids) <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-10"> + + +</div> + +<div id="outline-container-9-10-1" class="outline-4"> +<h4 id="sec-9-10-1"><span class="section-number-4">9.10.1</span> L770: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-10-1"> + +<pre class="example"> +args.extend(keyids) +</pre> + + +</div> +</div> + +</div> + +<div id="outline-container-9-11" class="outline-3"> +<h3 id="sec-9-11"><span class="section-number-3">9.11</span> def export<sub>keys</sub>(self, keyids, secret=False) <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-11"> + + +</div> + +<div id="outline-container-9-11-1" class="outline-4"> +<h4 id="sec-9-11-1"><span class="section-number-4">9.11.1</span> L795-796: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-11-1"> + +<p> args problem again. exploitable though parameter ``keyids``. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-12" class="outline-3"> +<h3 id="sec-9-12"><span class="section-number-3">9.12</span> def list<sub>keys</sub>(self, secret=False)</h3> +<div class="outline-text-3" id="text-9-12"> + + +</div> + +<div id="outline-container-9-12-1" class="outline-4"> +<h4 id="sec-9-12-1"><span class="section-number-4">9.12.1</span> L827:</h4> +<div class="outline-text-4" id="text-9-12-1"> + +<p> args is static string. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-13" class="outline-3"> +<h3 id="sec-9-13"><span class="section-number-3">9.13</span> def gen<sub>key</sub>(self, input) <span class="tag"><span class="cleanup">cleanup</span></span></h3> +<div class="outline-text-3" id="text-9-13"> + + +</div> + +<div id="outline-container-9-13-1" class="outline-4"> +<h4 id="sec-9-13-1"><span class="section-number-4">9.13.1</span> L864:</h4> +<div class="outline-text-4" id="text-9-13-1"> + +<p> args, passed to self.<sub>handle</sub><sub>io</sub>(), which in turn passes args directly to + Popen(), is set to a static string. this function is halfway okay, though + it really could be more careful with the ``input`` parameter. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-14" class="outline-3"> +<h3 id="sec-9-14"><span class="section-number-3">9.14</span> def gen<sub>key</sub><sub>input</sub>(self, **kwargs) <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-14"> + + +</div> + +<div id="outline-container-9-14-1" class="outline-4"> +<h4 id="sec-9-14-1"><span class="section-number-4">9.14.1</span> L981-983: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-14-1"> + +<p> this function could potentially allow an attacker with a GPG exploit to + use it, because it passes key generation parameter directly into the + internal packet parsers of GPG. however, without a GPG exploit for one of + the GPG packet parsers (for explanation of GPG packets look into pgpdump), + this function alone is not exploitable. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-15" class="outline-3"> +<h3 id="sec-9-15"><span class="section-number-3">9.15</span> def encrypt<sub>file</sub>(self, file, recipiencts, sign=None, …) <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-15"> + + +</div> + +<div id="outline-container-9-15-1" class="outline-4"> +<h4 id="sec-9-15-1"><span class="section-number-4">9.15.1</span> L939: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-15-1"> + +<p> several of the inputs to this function are unvalidated, turned into + strings, and passed to Popen(). exploitable. +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-16" class="outline-3"> +<h3 id="sec-9-16"><span class="section-number-3">9.16</span> def encrypt(self, data, recipients, **kwargs): <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-16"> + + +</div> + +<div id="outline-container-9-16-1" class="outline-4"> +<h4 id="sec-9-16-1"><span class="section-number-4">9.16.1</span> L997: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-16-1"> + +<p> exploitable, passes kwargs to self.encrypt<sub>file</sub>() +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-17" class="outline-3"> +<h3 id="sec-9-17"><span class="section-number-3">9.17</span> def decrypt(self, message **kwargs): <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-17"> + + +</div> + +<div id="outline-container-9-17-1" class="outline-4"> +<h4 id="sec-9-17-1"><span class="section-number-4">9.17.1</span> L1003: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-17-1"> + +<p> kwargs are passed to self.decrypt<sub>file</sub>(), unvalidated, making this + function also exploitable +</p> +</div> +</div> + +</div> + +<div id="outline-container-9-18" class="outline-3"> +<h3 id="sec-9-18"><span class="section-number-3">9.18</span> def decrypt<sub>file</sub>(self, file, always<sub>trust</sub>=False, passphrase=None, output=None) <span class="tag"><span class="vuln">vuln</span></span></h3> +<div class="outline-text-3" id="text-9-18"> + + +</div> + +<div id="outline-container-9-18-1" class="outline-4"> +<h4 id="sec-9-18-1"><span class="section-number-4">9.18.1</span> L1013: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> +<div class="outline-text-4" id="text-9-18-1"> + +<p> unvalidated user input: this function is also exploitable +</p> +</div> +</div> +</div> + +</div> + +<div id="outline-container-10" class="outline-2"> +<h2 id="sec-10"><span class="section-number-2">10</span> POC</h2> +<div class="outline-text-2" id="text-10"> + +<p>CANNOT INCLUDE FILE ../python-gnupg-0.3.1/python-gnupg-exploit.py +</p></div> +</div> +</div> + +<div id="postamble"> +<p class="date">Date: 2013-02-01 Fri</p> +<p class="author">Author: isis</p> +<p class="email"><a href="mailto:isis@leap.se">isis@leap.se</a></p> +<p class="creator"><a href="http://orgmode.org">Org</a> version 7.9.2 with <a href="http://www.gnu.org/software/emacs/">Emacs</a> version 24</p> +<a href="http://validator.w3.org/check?uri=referer">Validate XHTML 1.0</a> + +</div> +</body> +</html> |