Las contraseñas del famoso encriptador PGP quedan descubiertas en el Outlook


2 de Abril de 2002

Outlook admite la integración del PGP.(Pretty Good Privacy). para poder encriptar y descriptar nuestros correos. Una bug de seguridad ha sido detectado y permite a terceras personas obtener la contraseña usada por el usuario, simplemente analizando la memoria, despues de provocar un "cuelgue" del Outlook.

Son vulnerables las versiones de PGP 7.x y anteriores, bajo Windows NT y 2000 y en el fichero drwtsn32.log . Windows 2000, C:Documents and SettingsAll UsersDocumentsDrWatsondrwtsn32.log Windows NT, it is located at: C:WinntSystem32drwtsn32.log Siempre que el Outlook con el PGP integrado, se cuelga o falla, se hará un volcado del contenido de la memoria al archivo drwtsn32.log. donde un intruso podra obtener la contraseña de su llave PGP. Ejemplo drwtsn32.log: function: TranslateMessageEx 77e1323a 0f8500c40200 jne EnumDesktopWindows+0xd88 (77e3f640) 77e13240 33c0 xor eax,eax 77e13242 c20800 ret 0x8 77e13245 ff742408 push dword ptr [esp+0x8] ss:043bd52b=?? 77e13249 51 push ecx 77e1324a e8b7370000 call GetKeyState+0x92 (77e16a06) 77e1324f ebf1 jmp DialogBoxIndirectParamAorW+0x6ba (77e1eb42) 77e13251 b89a110000 mov eax,0x119a 77e13256 8d542404 lea edx,[esp+0x4] ss:043bd52b=? 77e1325a cd2e int 2e 77e1325c c21000 ret 0x10 *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0370FF78 77575C36 0370FF98 00000000 00000000 00000000 user32!TranslateMessageEx 0370FFB4 77E8758A 0000047C 77595428 0006F204 0000047C winmm!midiOutGetNumDevs 0370FFEC 00000000 77575BB9 0000047C 00000000 037100A0 kernel32!SetFilePointer *----> Raw Stack Dump <----* 0370ff58 63 58 e1 77 98 ff 70 03 - 00 00 00 00 00 00 00 00 cX.w..p......... 0370ff68 00 00 00 00 7c 04 00 00 - 00 00 00 00 27 58 e1 77 ....|.......'X.w 0370ff78 b4 ff 70 03 36 5c 57 77 - 98 ff 70 03 00 00 00 00 ..p.6Ww..p..... 0370ff88 00 00 00 00 00 00 00 00 - 28 54 59 77 04 f2 06 00 ........(TYw.... 0370ff98 20 20 32 81 ff ff ff ff - 77 0d 43 80 00 00 00 00 2.....w.C..... 0370ffa8 00 00 00 00 00 00 00 00 - 7b 10 43 80 ec ff 70 03 ........{.C...p. 0370ffb8 8a 75 e8 77 7c 04 00 00 - 28 54 59 77 04 f2 06 00 .u.w|...(TYw.... 0370ffc8 7c 04 00 00 00 f0 fa 7f - 00 00 57 77 c0 ff 70 03 |.........Ww..p. 0370ffd8 00 00 57 77 ff ff ff ff - 5b 61 e8 77 80 b5 e8 77 ..Ww....[a.w...w 0370ffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 b9 5b 57 77 .............[Ww 0370fff8 7c 04 00 00 00 00 00 00 - a0 00 71 03 00 00 00 00 |.........q..... 03710008 03 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 03710018 00 00 00 00 00 00 00 00 - a0 00 71 03 00 00 71 03 ..........q...q. 03710028 02 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 03710038 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 03710048 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 03710058 00 00 00 00 00 00 00 00 - a0 07 e4 01 6b 00 00 00 ............k... 03710068 46 47 55 42 00 00 00 00 - PASSPHRASEVALUEISHEREPAFGUB....PASSPHRA 03710078 PASSPHRASEVALUEISHEREPA - PASSPHRASEVALUEISHEREPAASEVALUESISHEREP 03710088 7d 40 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 AS.............. Fuente; Securiteam