diff options
Diffstat (limited to 'docs/NOTES-python-gnupg-3.1-audit.html')
| -rw-r--r-- | docs/NOTES-python-gnupg-3.1-audit.html | 946 |
1 files changed, 0 insertions, 946 deletions
diff --git a/docs/NOTES-python-gnupg-3.1-audit.html b/docs/NOTES-python-gnupg-3.1-audit.html deleted file mode 100644 index fbd6e0d..0000000 --- a/docs/NOTES-python-gnupg-3.1-audit.html +++ /dev/null @@ -1,946 +0,0 @@ -<?xml version="1.0" encoding="iso-8859-1"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> -<head> -<title>python-gnupg audit</title> -<meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1"/> -<meta name="title" content="python-gnupg audit"/> -<meta name="generator" content="Org-mode"/> -<meta name="generated" content="2013-02-01 Fri"/> -<meta name="author" content="isis"/> -<meta name="description" content=""/> -<meta name="keywords" content=""/> -<style type="text/css"> - <!--/*--><![CDATA[/*><!--*/ - html { font-family: Times, serif; font-size: 12pt; } - .title { text-align: center; } - .todo { color: red; } - .done { color: green; } - .tag { background-color: #add8e6; font-weight:normal } - .target { } - .timestamp { color: #bebebe; } - .timestamp-kwd { color: #5f9ea0; } - .right {margin-left:auto; margin-right:0px; text-align:right;} - .left {margin-left:0px; margin-right:auto; text-align:left;} - .center {margin-left:auto; margin-right:auto; text-align:center;} - p.verse { margin-left: 3% } - pre { - border: 1pt solid #AEBDCC; - background-color: #F3F5F7; - padding: 5pt; - font-family: courier, monospace; - font-size: 90%; - overflow:auto; - } - table { border-collapse: collapse; } - td, th { vertical-align: top; } - th.right { text-align:center; } - th.left { text-align:center; } - th.center { text-align:center; } - td.right { text-align:right; } - td.left { text-align:left; } - td.center { text-align:center; } - dt { font-weight: bold; } - div.figure { padding: 0.5em; } - div.figure p { text-align: center; } - div.inlinetask { - padding:10px; - border:2px solid gray; - margin:10px; - background: #ffffcc; - } - textarea { overflow-x: auto; } - .linenr { font-size:smaller } - .code-highlighted {background-color:#ffff00;} - .org-info-js_info-navigation { border-style:none; } - #org-info-js_console-label { font-size:10px; font-weight:bold; - white-space:nowrap; } - .org-info-js_search-highlight {background-color:#ffff00; color:#000000; - font-weight:bold; } - /*]]>*/--> -</style> -<script type="text/javascript"> -/* -@licstart The following is the entire license notice for the -JavaScript code in this tag. - -Copyright (C) 2012 Free Software Foundation, Inc. - -The JavaScript code in this tag is free software: you can -redistribute it and/or modify it under the terms of the GNU -General Public License (GNU GPL) as published by the Free Software -Foundation, either version 3 of the License, or (at your option) -any later version. The code is distributed WITHOUT ANY WARRANTY; -without even the implied warranty of MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. - -As additional permission under GNU GPL version 3 section 7, you -may distribute non-source (e.g., minimized or compacted) forms of -that code without the copy of the GNU GPL normally required by -section 4, provided you include this license notice and a URL -through which recipients can access the Corresponding Source. - - -@licend The above is the entire license notice -for the JavaScript code in this tag. -*/ -<!--/*--><![CDATA[/*><!--*/ - function CodeHighlightOn(elem, id) - { - var target = document.getElementById(id); - if(null != target) { - elem.cacheClassElem = elem.className; - elem.cacheClassTarget = target.className; - target.className = "code-highlighted"; - elem.className = "code-highlighted"; - } - } - function CodeHighlightOff(elem, id) - { - var target = document.getElementById(id); - if(elem.cacheClassElem) - elem.className = elem.cacheClassElem; - if(elem.cacheClassTarget) - target.className = elem.cacheClassTarget; - } -/*]]>*///--> -</script> - -</head> -<body> - -<div id="preamble"> - -</div> - -<div id="content"> -<h1 class="title">python-gnupg audit</h1> - -<p> <span class="timestamp-wrapper"> <span class="timestamp">2013-02-01 Fri</span></span><br/> -</p> - -<div id="table-of-contents"> -<h2>Table of Contents</h2> -<div id="text-table-of-contents"> -<ul> -<li><a href="#sec-1">1 gnugp._<sub>main</sub>_<sub>()</sub></a> -<ul> -<li><a href="#sec-1-1">1.1 comments</a></li> -<li><a href="#sec-1-2">1.2 def <sub>copy</sub><sub>data</sub>(instream, outstream)</a> -<ul> -<li><a href="#sec-1-2-1">1.2.1 L79:</a></li> -<li><a href="#sec-1-2-2">1.2.2 L78:</a></li> -<li><a href="#sec-1-2-3">1.2.3 L88:</a></li> -</ul> -</li> -<li><a href="#sec-1-3">1.3 def <sub>threaded</sub><sub>copy</sub><sub>data</sub>(instream, outstream):</a> -<ul> -<li><a href="#sec-1-3-1">1.3.1 L99:</a></li> -</ul> -</li> -<li><a href="#sec-1-4">1.4 def <sub>write</sub><sub>passphrase</sub>(stream, passphrase, encoding):</a> -<ul> -<li><a href="#sec-1-4-1">1.4.1 L110:</a></li> -</ul></li> -</ul> -</li> -<li><a href="#sec-2">2 class Verify(object)</a></li> -<li><a href="#sec-3">3 class ImportResult(object)</a></li> -<li><a href="#sec-4">4 class ListKeys(list):</a></li> -<li><a href="#sec-5">5 class Crypt(Verify):</a> -<ul> -<li><a href="#sec-5-1">5.1 def _<sub>init</sub>_<sub>(self, gpg)</sub></a> -<ul> -<li><a href="#sec-5-1-1">5.1.1 L338</a></li> -</ul></li> -</ul> -</li> -<li><a href="#sec-6">6 class GenKey(object)</a></li> -<li><a href="#sec-7">7 class DeleteResult(object)</a></li> -<li><a href="#sec-8">8 class Sign(object)</a></li> -<li><a href="#sec-9">9 class GPG(object)</a> -<ul> -<li> -<ul> -<li><a href="#sec-9-1">9.1 L474:</a></li> -</ul> -</li> -<li><a href="#sec-9-1">9.1 def _<sub>init</sub>_<sub>(self, gpgbinary='gpg', gnupghome=None, verbose=False, use<sub>agent</sub>=False, keyring=None)</sub></a> -<ul> -<li><a href="#sec-9-1-1">9.1.1 L494-495:</a></li> -</ul> -</li> -<li><a href="#sec-9-2">9.2 def <sub>open</sub><sub>subprocess</sub>(self, args, passphrase=False)</a> -<ul> -<li><a href="#sec-9-2-1">9.2.1 L515:</a></li> -</ul> -</li> -<li><a href="#sec-9-3">9.3 def <sub>collect</sub><sub>output</sub>(self, process, result, writer=None, stdin=None)</a></li> -<li><a href="#sec-9-4">9.4 def <sub>handle</sub><sub>io</sub>(self, args, file, result, passphrase=None, binary=False)</a> -<ul> -<li><a href="#sec-9-4-1">9.4.1 L601:</a></li> -</ul> -</li> -<li><a href="#sec-9-5">9.5 def sign(self, message, **kwargs)</a> -<ul> -<li><a href="#sec-9-5-1">9.5.1 L617-619:</a></li> -</ul> -</li> -<li><a href="#sec-9-6">9.6 def sign<sub>file</sub>(self, file, keyid=None, passphrase=None, clearsign=True, detach=False, binary=False)</a> -<ul> -<li><a href="#sec-9-6-1">9.6.1 L632-635:</a></li> -<li><a href="#sec-9-6-2">9.6.2 L626-641:</a></li> -</ul> -</li> -<li><a href="#sec-9-7">9.7 def verify(self, data):</a> -<ul> -<li><a href="#sec-9-7-1">9.7.1 L668-670:</a></li> -</ul> -</li> -<li><a href="#sec-9-8">9.8 def verify<sub>file</sub>(self, file, data<sub>filename</sub>=None)</a> -<ul> -<li><a href="#sec-9-8-1">9.8.1 L683:</a></li> -<li><a href="#sec-9-8-2">9.8.2 L684:</a></li> -<li><a href="#sec-9-8-3">9.8.3 L690:</a></li> -</ul> -</li> -<li><a href="#sec-9-9">9.9 def import<sub>keys</sub>(self, key<sub>data</sub>)</a> -<ul> -<li><a href="#sec-9-9-1">9.9.1 L749:</a></li> -</ul> -</li> -<li><a href="#sec-9-10">9.10 def recieve<sub>keys</sub>(self, keyserver, *keyids)</a> -<ul> -<li><a href="#sec-9-10-1">9.10.1 L770:</a></li> -</ul> -</li> -<li><a href="#sec-9-11">9.11 def export<sub>keys</sub>(self, keyids, secret=False)</a> -<ul> -<li><a href="#sec-9-11-1">9.11.1 L795-796:</a></li> -</ul> -</li> -<li><a href="#sec-9-12">9.12 def list<sub>keys</sub>(self, secret=False)</a> -<ul> -<li><a href="#sec-9-12-1">9.12.1 L827:</a></li> -</ul> -</li> -<li><a href="#sec-9-13">9.13 def gen<sub>key</sub>(self, input)</a> -<ul> -<li><a href="#sec-9-13-1">9.13.1 L864:</a></li> -</ul> -</li> -<li><a href="#sec-9-14">9.14 def gen<sub>key</sub><sub>input</sub>(self, **kwargs)</a> -<ul> -<li><a href="#sec-9-14-1">9.14.1 L981-983:</a></li> -</ul> -</li> -<li><a href="#sec-9-15">9.15 def encrypt<sub>file</sub>(self, file, recipiencts, sign=None, …)</a> -<ul> -<li><a href="#sec-9-15-1">9.15.1 L939:</a></li> -</ul> -</li> -<li><a href="#sec-9-16">9.16 def encrypt(self, data, recipients, **kwargs):</a> -<ul> -<li><a href="#sec-9-16-1">9.16.1 L997:</a></li> -</ul> -</li> -<li><a href="#sec-9-17">9.17 def decrypt(self, message **kwargs):</a> -<ul> -<li><a href="#sec-9-17-1">9.17.1 L1003:</a></li> -</ul> -</li> -<li><a href="#sec-9-18">9.18 def decrypt<sub>file</sub>(self, file, always<sub>trust</sub>=False, passphrase=None, output=None)</a> -<ul> -<li><a href="#sec-9-18-1">9.18.1 L1013:</a></li> -</ul></li> -</ul> -</li> -<li><a href="#sec-10">10 POC</a></li> -</ul> -</div> -</div> - -<div id="outline-container-1" class="outline-2"> -<h2 id="sec-1"><span class="section-number-2">1</span> gnugp._<sub>main</sub>_<sub>()</sub></h2> -<div class="outline-text-2" id="text-1"> - - -</div> - -<div id="outline-container-1-1" class="outline-3"> -<h3 id="sec-1-1"><span class="section-number-3">1.1</span> comments</h3> -<div class="outline-text-3" id="text-1-1"> - -<p>L58 NullHandler?? see self.<sub>write</sub><sub>passphrase</sub> -L61 there nifty check for p3k -</p></div> - -</div> - -<div id="outline-container-1-2" class="outline-3"> -<h3 id="sec-1-2"><span class="section-number-3">1.2</span> def <sub>copy</sub><sub>data</sub>(instream, outstream) <span class="tag"><span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-1-2"> - -<p> copies data from one stream to another, 1024 bytes at a time. -</p> -</div> - -<div id="outline-container-1-2-1" class="outline-4"> -<h4 id="sec-1-2-1"><span class="section-number-4">1.2.1</span> L79: <span class="tag"><span class="bad_logic">bad_logic</span></span></h4> -<div class="outline-text-4" id="text-1-2-1"> - -<p> instream is apparently a file descriptor, but is not checked nor - encased in a try/except block. -</p> -</div> - -</div> - -<div id="outline-container-1-2-2" class="outline-4"> -<h4 id="sec-1-2-2"><span class="section-number-4">1.2.2</span> L78: <span class="tag"><span class="hanging_fd">hanging_fd</span> <span class="bad_logic">bad_logic</span></span></h4> -<div class="outline-text-4" id="text-1-2-2"> - -<p> while True: loop, should be -</p><pre class="example"> -with open(instream) as instrm: -</pre> - -</div> - -</div> - -<div id="outline-container-1-2-3" class="outline-4"> -<h4 id="sec-1-2-3"><span class="section-number-4">1.2.3</span> L88: <span class="tag"><span class="bad_exception_handling">bad_exception_handling</span></span></h4> -<div class="outline-text-4" id="text-1-2-3"> - -<pre class="example"> -except: -</pre> - -<p> should catch an IOError, or whatever specific error is raised for broken - pipes. -</p></div> -</div> - -</div> - -<div id="outline-container-1-3" class="outline-3"> -<h3 id="sec-1-3"><span class="section-number-3">1.3</span> def <sub>threaded</sub><sub>copy</sub><sub>data</sub>(instream, outstream):</h3> -<div class="outline-text-3" id="text-1-3"> - - -</div> - -<div id="outline-container-1-3-1" class="outline-4"> -<h4 id="sec-1-3-1"><span class="section-number-4">1.3.1</span> L99:</h4> -<div class="outline-text-4" id="text-1-3-1"> - -<p> this just wraps self.<sub>copy</sub><sub>data</sub> in a thread -</p></div> -</div> - -</div> - -<div id="outline-container-1-4" class="outline-3"> -<h3 id="sec-1-4"><span class="section-number-3">1.4</span> def <sub>write</sub><sub>passphrase</sub>(stream, passphrase, encoding): <span class="tag"><span class="vuln">vuln</span> <span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-1-4"> - - -</div> - -<div id="outline-container-1-4-1" class="outline-4"> -<h4 id="sec-1-4-1"><span class="section-number-4">1.4.1</span> L110: <span class="tag"><span class="writes_passphrase_to_disk">writes_passphrase_to_disk</span></span></h4> -<div class="outline-text-4" id="text-1-4-1"> - -<p> logger writes passphrase into debug log. this should be patched. -</p></div> -</div> -</div> - -</div> - -<div id="outline-container-2" class="outline-2"> -<h2 id="sec-2"><span class="section-number-2">2</span> class Verify(object)</h2> -<div class="outline-text-2" id="text-2"> - -<p> basic parsing class, no errors found -</p></div> - -</div> - -<div id="outline-container-3" class="outline-2"> -<h2 id="sec-3"><span class="section-number-2">3</span> class ImportResult(object)</h2> -<div class="outline-text-2" id="text-3"> - -<p> basic parsing class, no errors found -</p></div> - -</div> - -<div id="outline-container-4" class="outline-2"> -<h2 id="sec-4"><span class="section-number-2">4</span> class ListKeys(list):</h2> -<div class="outline-text-2" id="text-4"> - -<p> basic parsing class, no errors found -</p></div> - -</div> - -<div id="outline-container-5" class="outline-2"> -<h2 id="sec-5"><span class="section-number-2">5</span> class Crypt(Verify):</h2> -<div class="outline-text-2" id="text-5"> - -<p> basic parsing class, no errors found -</p> -</div> - -<div id="outline-container-5-1" class="outline-3"> -<h3 id="sec-5-1"><span class="section-number-3">5.1</span> def _<sub>init</sub>_<sub>(self, gpg)</sub> <span class="tag"><span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-5-1"> - - -</div> - -<div id="outline-container-5-1-1" class="outline-4"> -<h4 id="sec-5-1-1"><span class="section-number-4">5.1.1</span> L338 <span class="tag"><span class="mro_conflict">mro_conflict</span></span></h4> -<div class="outline-text-4" id="text-5-1-1"> - - - - - -<pre class="src src-python">Verify.__init__(<span style="color: #00cdcd; font-weight: bold;">self</span>,gpg) -</pre> - - -<p> - should be changed to: -</p> - - - -<pre class="src src-python"><span style="color: #0000ee; font-weight: bold;">super</span>(Verify, <span style="color: #00cdcd; font-weight: bold;">self</span>).__init__(gpg) -</pre> - -</div> -</div> -</div> - -</div> - -<div id="outline-container-6" class="outline-2"> -<h2 id="sec-6"><span class="section-number-2">6</span> class GenKey(object)</h2> -<div class="outline-text-2" id="text-6"> - -<p> basic parsing class, no errors found -</p></div> - -</div> - -<div id="outline-container-7" class="outline-2"> -<h2 id="sec-7"><span class="section-number-2">7</span> class DeleteResult(object)</h2> -<div class="outline-text-2" id="text-7"> - -<p> basic parsing class, no errors found -</p></div> - -</div> - -<div id="outline-container-8" class="outline-2"> -<h2 id="sec-8"><span class="section-number-2">8</span> class Sign(object)</h2> -<div class="outline-text-2" id="text-8"> - -<p> basic parsing class, no errors found -</p></div> - -</div> - -<div id="outline-container-9" class="outline-2"> -<h2 id="sec-9"><span class="section-number-2">9</span> class GPG(object) <span class="tag"><span class="exploitable">exploitable</span></span></h2> -<div class="outline-text-2" id="text-9"> - - -</div> - -<div id="outline-container-9-1" class="outline-4"> -<h4 id="sec-9-1"><span class="section-number-4">9.1</span> L474: <span class="tag"><span class="cleanup">cleanup</span></span></h4> -<div class="outline-text-4" id="text-9-1"> - -<pre class="example"> -cls.__doc__ -</pre> - -<p> should go directly underneath class signature -</p></div> - -</div> - -<div id="outline-container-9-1" class="outline-3"> -<h3 id="sec-9-1"><span class="section-number-3">9.1</span> def _<sub>init</sub>_<sub>(self, gpgbinary='gpg', gnupghome=None, verbose=False, use<sub>agent</sub>=False, keyring=None)</sub> <span class="tag"><span class="bug">bug</span></span></h3> -<div class="outline-text-3" id="text-9-1"> - - -</div> - -<div id="outline-container-9-1-1" class="outline-4"> -<h4 id="sec-9-1-1"><span class="section-number-4">9.1.1</span> L494-495: <span class="tag"><span class="type_error">type_error</span></span></h4> -<div class="outline-text-4" id="text-9-1-1"> - - - - - -<pre class="src src-python"><span style="color: #00cdcd; font-weight: bold;">if</span> gnupghome <span style="color: #00cdcd; font-weight: bold;">and</span> <span style="color: #00cdcd; font-weight: bold;">not</span> os.path.isdir(<span style="color: #00cdcd; font-weight: bold;">self</span>.gnupghome): - os.makedirs(<span style="color: #00cdcd; font-weight: bold;">self</span>.gnupghome,0x1C0) -</pre> - - - -<pre class="example">In [20]: os.makedirs? -Type: function -String Form:<function makedirs at 0x7f8ddeb6cc08> -File: /usr/lib/python2.7/os.py -Definition: os.makedirs(name, mode=511) -Docstring: -makedirs(path [, mode=0777]) -Super-mkdir; create a leaf directory and all intermediate ones. -Works like mkdir, except that any intermediate path segment (not -just the rightmost) will be created if it does not exist. This is -recursive. - -setting mode=0x1c0 is equivalent to mode=hex(0700), which -may cause bugs on some systems, see -http://ubuntuforums.org/showthread.php?t=2044879 - -this could be do to the complete lack of input validation in -os.makedirs, and it's calling of the os.mkdir() built-in, which -may vary depending on the python compilation: -</pre> - - - -<pre class="src src-python">Source: -<span style="color: #00cdcd; font-weight: bold;">def</span> <span style="color: #0000ee; font-weight: bold;">makedirs</span>(name, mode=0777): - <span style="color: #00cd00;">"""makedirs(path [, mode=0777])</span> - -<span style="color: #00cd00;"> Super-mkdir; create a leaf directory and all intermediate ones.</span> -<span style="color: #00cd00;"> Works like mkdir, except that any intermediate path segment (not</span> -<span style="color: #00cd00;"> just the rightmost) will be created if it does not exist. This is</span> -<span style="color: #00cd00;"> recursive.</span> -<span style="color: #00cd00;"> """</span> - <span style="color: #cdcd00;">head</span>, <span style="color: #cdcd00;">tail</span> = path.split(name) - <span style="color: #00cdcd; font-weight: bold;">if</span> <span style="color: #00cdcd; font-weight: bold;">not</span> tail: - <span style="color: #cdcd00;">head</span>, <span style="color: #cdcd00;">tail</span> = path.split(head) - <span style="color: #00cdcd; font-weight: bold;">if</span> head <span style="color: #00cdcd; font-weight: bold;">and</span> tail <span style="color: #00cdcd; font-weight: bold;">and</span> <span style="color: #00cdcd; font-weight: bold;">not</span> path.exists(head): - <span style="color: #00cdcd; font-weight: bold;">try</span>: - makedirs(head, mode) - <span style="color: #00cdcd; font-weight: bold;">except</span> <span style="color: #00cd00;">OSError</span>, e: - <span style="color: #cdcd00;"># </span><span style="color: #cdcd00;">be happy if someone already created the path</span> - <span style="color: #00cdcd; font-weight: bold;">if</span> e.errno != errno.EEXIST: - <span style="color: #00cdcd; font-weight: bold;">raise</span> - <span style="color: #00cdcd; font-weight: bold;">if</span> tail == curdir: <span style="color: #cdcd00;"># </span><span style="color: #cdcd00;">xxx/newdir/. exists if xxx/newdir exists</span> - <span style="color: #00cdcd; font-weight: bold;">return</span> - mkdir(name, mode) -</pre> - - -</div> -</div> - -</div> - -<div id="outline-container-9-2" class="outline-3"> -<h3 id="sec-9-2"><span class="section-number-3">9.2</span> def <sub>open</sub><sub>subprocess</sub>(self, args, passphrase=False) <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-2"> - - -</div> - -<div id="outline-container-9-2-1" class="outline-4"> -<h4 id="sec-9-2-1"><span class="section-number-4">9.2.1</span> L515: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-2-1"> - -<pre class="example"> -cmd.extend(args) -</pre> - - -<p> - cmd is a list of strings, eventually joined with cmd=' '.join(cmd), and - the args are unvalidated in this function. Then this concatenation of args - is fed directly into subprocess.Popen(cmd, shell=True, stdin=PIPE, - stdout=PIPE, stderr=PIPE). THIS SHOULD BE PATCHED. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-3" class="outline-3"> -<h3 id="sec-9-3"><span class="section-number-3">9.3</span> def <sub>collect</sub><sub>output</sub>(self, process, result, writer=None, stdin=None)</h3> -<div class="outline-text-3" id="text-9-3"> - -<p> sends stdout to self.<sub>read</sub><sub>data</sub>() and stderr to self.<sub>read</sub><sub>response</sub>() -</p> -</div> - -</div> - -<div id="outline-container-9-4" class="outline-3"> -<h3 id="sec-9-4"><span class="section-number-3">9.4</span> def <sub>handle</sub><sub>io</sub>(self, args, file, result, passphrase=None, binary=False) <span class="tag"><span class="vuln">vuln</span> <span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-9-4"> - - -</div> - -<div id="outline-container-9-4-1" class="outline-4"> -<h4 id="sec-9-4-1"><span class="section-number-4">9.4.1</span> L601: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span> <span class="type_check_in_call">type_check_in_call</span></span></h4> -<div class="outline-text-4" id="text-9-4-1"> - -<pre class="example"> -p = self._open_subprocess(args, passphrase is not None) -</pre> - - -<p> - you shouldn't assign or type check in a function call -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-5" class="outline-3"> -<h3 id="sec-9-5"><span class="section-number-3">9.5</span> def sign(self, message, **kwargs) <span class="tag"><span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-9-5"> - - -</div> - -<div id="outline-container-9-5-1" class="outline-4"> -<h4 id="sec-9-5-1"><span class="section-number-4">9.5.1</span> L617-619: <span class="tag"><span class="hanging_fd">hanging_fd</span></span></h4> -<div class="outline-text-4" id="text-9-5-1"> - -<p> calls self.<sub>make</sub><sub>binary</sub><sub>stream</sub>(), which leaves the file descriptor for - the encoded message to be encrypted hanging between scopes. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-6" class="outline-3"> -<h3 id="sec-9-6"><span class="section-number-3">9.6</span> def sign<sub>file</sub>(self, file, keyid=None, passphrase=None, clearsign=True, detach=False, binary=False) <span class="tag"><span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-9-6"> - - -</div> - -<div id="outline-container-9-6-1" class="outline-4"> -<h4 id="sec-9-6-1"><span class="section-number-4">9.6.1</span> L632-635: <span class="tag"><span class="bad_logic">bad_logic</span></span></h4> -<div class="outline-text-4" id="text-9-6-1"> - - - - -<pre class="src src-python"><span style="color: #00cdcd; font-weight: bold;">if</span> detach: - args.append(<span style="color: #00cd00;">"--detach-sign"</span>) -<span style="color: #00cdcd; font-weight: bold;">elif</span> clearsign: - args.append(<span style="color: #00cd00;">"--clearsign"</span>) -</pre> - - -<p> - the logic here allows that if a user erroneously specifies both options, - rather than doing what the system gnupg would do (that is, do –clearsign, - and ignore the –attach-sign), python-gnupg would ignore both. -</p> -</div> - -</div> - -<div id="outline-container-9-6-2" class="outline-4"> -<h4 id="sec-9-6-2"><span class="section-number-4">9.6.2</span> L626-641:</h4> -<div class="outline-text-4" id="text-9-6-2"> - -<p> input 'args' into self.<sub>open</sub><sub>subprocess</sub>() is defined as static strings. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-7" class="outline-3"> -<h3 id="sec-9-7"><span class="section-number-3">9.7</span> def verify(self, data): <span class="tag"><span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-9-7"> - - -</div> - -<div id="outline-container-9-7-1" class="outline-4"> -<h4 id="sec-9-7-1"><span class="section-number-4">9.7.1</span> L668-670: <span class="tag"><span class="hanging_fd">hanging_fd</span></span></h4> -<div class="outline-text-4" id="text-9-7-1"> - -<p> same hanging file descriptor problem as in self.sign() -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-8" class="outline-3"> -<h3 id="sec-9-8"><span class="section-number-3">9.8</span> def verify<sub>file</sub>(self, file, data<sub>filename</sub>=None) <span class="tag"><span class="vuln">vuln</span> <span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-9-8"> - - -</div> - -<div id="outline-container-9-8-1" class="outline-4"> -<h4 id="sec-9-8-1"><span class="section-number-4">9.8.1</span> L683: <span class="tag"><span class="hanging_fd">hanging_fd</span></span></h4> -<div class="outline-text-4" id="text-9-8-1"> - -<p> more potentially hanging file descriptors… -</p></div> - -</div> - -<div id="outline-container-9-8-2" class="outline-4"> -<h4 id="sec-9-8-2"><span class="section-number-4">9.8.2</span> L684: <span class="tag"><span class="hanging_fd">hanging_fd</span></span></h4> -<div class="outline-text-4" id="text-9-8-2"> - -<p> oh look, another hanging file descriptor. imagine that. -</p></div> - -</div> - -<div id="outline-container-9-8-3" class="outline-4"> -<h4 id="sec-9-8-3"><span class="section-number-4">9.8.3</span> L690: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-8-3"> - -<pre class="example"> -args.append('"%s"' % data_filename) -</pre> - -<p> well, there's the exploit. see included POC script. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-9" class="outline-3"> -<h3 id="sec-9-9"><span class="section-number-3">9.9</span> def import<sub>keys</sub>(self, key<sub>data</sub>) <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-9"> - - -</div> - -<div id="outline-container-9-9-1" class="outline-4"> -<h4 id="sec-9-9-1"><span class="section-number-4">9.9.1</span> L749: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-9-1"> - -<p> this function could potentially allow an attacker with a GPG exploit to - use it, because it passes key generation parameter directly into the - internal packet parsers of GPG. however, without a GPG exploit for one of - the GPG packet parsers (for explanation of GPG packets look into pgpdump), - this function alone is not exploitable. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-10" class="outline-3"> -<h3 id="sec-9-10"><span class="section-number-3">9.10</span> def recieve<sub>keys</sub>(self, keyserver, *keyids) <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-10"> - - -</div> - -<div id="outline-container-9-10-1" class="outline-4"> -<h4 id="sec-9-10-1"><span class="section-number-4">9.10.1</span> L770: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-10-1"> - -<pre class="example"> -args.extend(keyids) -</pre> - - -</div> -</div> - -</div> - -<div id="outline-container-9-11" class="outline-3"> -<h3 id="sec-9-11"><span class="section-number-3">9.11</span> def export<sub>keys</sub>(self, keyids, secret=False) <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-11"> - - -</div> - -<div id="outline-container-9-11-1" class="outline-4"> -<h4 id="sec-9-11-1"><span class="section-number-4">9.11.1</span> L795-796: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-11-1"> - -<p> args problem again. exploitable though parameter ``keyids``. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-12" class="outline-3"> -<h3 id="sec-9-12"><span class="section-number-3">9.12</span> def list<sub>keys</sub>(self, secret=False)</h3> -<div class="outline-text-3" id="text-9-12"> - - -</div> - -<div id="outline-container-9-12-1" class="outline-4"> -<h4 id="sec-9-12-1"><span class="section-number-4">9.12.1</span> L827:</h4> -<div class="outline-text-4" id="text-9-12-1"> - -<p> args is static string. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-13" class="outline-3"> -<h3 id="sec-9-13"><span class="section-number-3">9.13</span> def gen<sub>key</sub>(self, input) <span class="tag"><span class="cleanup">cleanup</span></span></h3> -<div class="outline-text-3" id="text-9-13"> - - -</div> - -<div id="outline-container-9-13-1" class="outline-4"> -<h4 id="sec-9-13-1"><span class="section-number-4">9.13.1</span> L864:</h4> -<div class="outline-text-4" id="text-9-13-1"> - -<p> args, passed to self.<sub>handle</sub><sub>io</sub>(), which in turn passes args directly to - Popen(), is set to a static string. this function is halfway okay, though - it really could be more careful with the ``input`` parameter. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-14" class="outline-3"> -<h3 id="sec-9-14"><span class="section-number-3">9.14</span> def gen<sub>key</sub><sub>input</sub>(self, **kwargs) <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-14"> - - -</div> - -<div id="outline-container-9-14-1" class="outline-4"> -<h4 id="sec-9-14-1"><span class="section-number-4">9.14.1</span> L981-983: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-14-1"> - -<p> this function could potentially allow an attacker with a GPG exploit to - use it, because it passes key generation parameter directly into the - internal packet parsers of GPG. however, without a GPG exploit for one of - the GPG packet parsers (for explanation of GPG packets look into pgpdump), - this function alone is not exploitable. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-15" class="outline-3"> -<h3 id="sec-9-15"><span class="section-number-3">9.15</span> def encrypt<sub>file</sub>(self, file, recipiencts, sign=None, …) <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-15"> - - -</div> - -<div id="outline-container-9-15-1" class="outline-4"> -<h4 id="sec-9-15-1"><span class="section-number-4">9.15.1</span> L939: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-15-1"> - -<p> several of the inputs to this function are unvalidated, turned into - strings, and passed to Popen(). exploitable. -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-16" class="outline-3"> -<h3 id="sec-9-16"><span class="section-number-3">9.16</span> def encrypt(self, data, recipients, **kwargs): <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-16"> - - -</div> - -<div id="outline-container-9-16-1" class="outline-4"> -<h4 id="sec-9-16-1"><span class="section-number-4">9.16.1</span> L997: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-16-1"> - -<p> exploitable, passes kwargs to self.encrypt<sub>file</sub>() -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-17" class="outline-3"> -<h3 id="sec-9-17"><span class="section-number-3">9.17</span> def decrypt(self, message **kwargs): <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-17"> - - -</div> - -<div id="outline-container-9-17-1" class="outline-4"> -<h4 id="sec-9-17-1"><span class="section-number-4">9.17.1</span> L1003: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-17-1"> - -<p> kwargs are passed to self.decrypt<sub>file</sub>(), unvalidated, making this - function also exploitable -</p> -</div> -</div> - -</div> - -<div id="outline-container-9-18" class="outline-3"> -<h3 id="sec-9-18"><span class="section-number-3">9.18</span> def decrypt<sub>file</sub>(self, file, always<sub>trust</sub>=False, passphrase=None, output=None) <span class="tag"><span class="vuln">vuln</span></span></h3> -<div class="outline-text-3" id="text-9-18"> - - -</div> - -<div id="outline-container-9-18-1" class="outline-4"> -<h4 id="sec-9-18-1"><span class="section-number-4">9.18.1</span> L1013: <span class="tag"><span class="unvalidated_user_input">unvalidated_user_input</span></span></h4> -<div class="outline-text-4" id="text-9-18-1"> - -<p> unvalidated user input: this function is also exploitable -</p> -</div> -</div> -</div> - -</div> - -<div id="outline-container-10" class="outline-2"> -<h2 id="sec-10"><span class="section-number-2">10</span> POC</h2> -<div class="outline-text-2" id="text-10"> - -<p>CANNOT INCLUDE FILE ../python-gnupg-0.3.1/python-gnupg-exploit.py -</p></div> -</div> -</div> - -<div id="postamble"> -<p class="date">Date: 2013-02-01 Fri</p> -<p class="author">Author: isis</p> -<p class="email"><a href="mailto:isis@leap.se">isis@leap.se</a></p> -<p class="creator"><a href="http://orgmode.org">Org</a> version 7.9.2 with <a href="http://www.gnu.org/software/emacs/">Emacs</a> version 24</p> -<a href="http://validator.w3.org/check?uri=referer">Validate XHTML 1.0</a> - -</div> -</body> -</html> |