From: [email protected]

--kXdP64Ggrk/fb43R
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: mutt
Version: 1.3.28-2.2
Severity: important
Tags: security

Hi.

It's possible to spoof the mutt PGP messages using the ^H-highlighting,
in the default setup. -- Enclosed is a mailbox containing just one
message; you can open it with mutt -f, and then just open the message.
It looks it's PGP signed with a good signature, but it isn't, it's
spoofed.

The default color scheme for PGP labels & ^H-highlighting should not be
the same, and mutt should at least emit a warning when they are set to
the same value by the user. Ideally, a special option allow_pgp_spoofing should be devised

As a temporary workaround, the default .muttrc should contain a ``color
bold'' command that would set the ^H-highlighted characters' color to
something different from the label color, along with an explanatory
comment, and a this bugreport URL. -- IMO, the default text color (i.e. scrapping any highlighting) would be most suitable, because when some highlighting was actually chosen, the user might think, that this was
just an error in the highlighting code (note that there is some
discussion in the manual about enabling escape-sequences, that could be
read as that no highlighting is possible whatsoever), and that the
signature in fact is real. Think about colorblind people, monochromatic terminals, VGA palette tweaks, if you *really* want to disagree.

I hope You won't respond with that... ehm... interesting opinion that defaults-are-to-be-preserved, Marco.

Note that this bug affects not only the PGP labels, but all the
attachment delimiters.

I've sent an advisory to bugtraq, just an hour ago, it should promulgate
in a due time.

I hope I did it right this time, and my severity assessment is going to
please our beloved DST. (Perhaps I really made some mistakes in the
past, sorry, people.)

Please keep me CC'd.

Cheers,
Jan.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.26-jan #6 SMP Tue Jul 27 21:24:30 CEST 2004 i686 Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2

Versions of packages mutt depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an ii libncurses5 5.2.20020112a-7 Shared libraries for terminal hand ii libsasl7 1.5.27-3 Authentication abstraction library ii postfix [mail-transport- 1.1.11-0.woody3 A high-performance mail transport

--
"To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
where this started and I think it goes back to the time I went to the circus,
and a clown killed my dad."

--kXdP64Ggrk/fb43R
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=mutt-pgp-spoofing-poc Content-Transfer-Encoding: quoted-printable

From [email protected] Thu Aug 12 01:48:21 2004Return-Path: <[email protected]>Delivered-To: [email protected]eived: by mail.haltyr.dejvice.czf (Postfix, from userid 1000) id 91AD1484F; Thu, 12 Aug 2004 01:48:21 +0200 (CEST)Date: Thu,
12 Aug 2004 01:48:21 +0200From: Jan Minar <[email protected]>To: Jan Minar <[email protected]>Subject: mutt PGP signature spoofing POCMessage-ID: <[email protected]>Mime-Version: 1.0Content-Type: text/plain;
charset=us-asciiContent-Disposition: inlineContent-Transfer-Encoding: 8bitUser-Agent: Mutt/1.3.28i[[---- PPGGPP oouuttppuutt ffoolll

From: [email protected]

[to the security team: I think you can ignore this bug unless a real
advisory appears, which I doubt. explanations below. please some
member of the team removes the security tag if you agree with this
diagnosis.]

* Jan Minar [Thu, 12 Aug 2004 03:27:09 +0200]:

Hi.

hi Jan,

It's possible to spoof the mutt PGP messages using the ^H-highlighting,
in the default setup.

assuming *Debian's* default setup, as in mutt_1.3.28-2.2.

-- Enclosed is a mailbox containing just one
message; you can open it with mutt -f, and then just open the message.
It looks it's PGP signed with a good signature, but it isn't, it's
spoofed.

it looks like, but doesn't have the right colors. see below.

The default color scheme for PGP labels & ^H-highlighting should not be
the same,

it is not, neither in "mutt -n" (no Muttrc read), when PGP labels have
*no* highlighting; nor when Debian's Muttrc is read, since it contains
the line (in woody, sarge and sid):

color attachment brightyellow black

it is up to the user to shoot in their feet and put one of these in
their ~/.muttrc:

set allow_ansi
color attachment brightwhite default

As a temporary workaround, the default .muttrc should contain a ``color bold'' command that would set the ^H-highlighted characters' color to something different from the label color,

it has been done the other way round (see above): the default Muttrc
contains a color color that sets the labels to something different
from the ^H-highlighted characters. (which were never the same,
anyway.)

along with an explanatory
comment, and a this bugreport URL. -- IMO, the default text color (i.e. scrapping any highlighting) would be most suitable, because when some highlighting was actually chosen, the user might think, that this was
just an error in the highlighting code

please.

(note that there is some
discussion in the manual about enabling escape-sequences, that could be
read as that no highlighting is possible whatsoever), and that the
signature in fact is real.

Think about colorblind people, monochromatic
terminals, VGA palette tweaks, if you *really* want to disagree.

&sigh; -- in such cases, more attention should be paid to the
timestamp, that is, you *should* pay attention if you *know* your
circumstances make you more vulnerable.

I hope You won't respond with that... ehm... interesting opinion that defaults-are-to-be-preserved, Marco.

*NOTE* that with default mutt behavior ("scrapping any highlighting",
as you say), valid PGP output is *much* *more* easily forged.

timestamp apart, the actual setup *does* require the user to
explicitly "set allow_ansi".

I've sent an advisory to bugtraq, just an hour ago, it should promulgate
in a due time.

well, you let us know when it does, please.

* * *

I think this bug is to be closed unless you can provide us a mailbox
which (forgetting about the timestamp) exactly reproduces the PGP
markers in the same colour as they would appear in a clean woody
installation for a user without ~/.muttrc in a *normal* environment.

*And* if your argument is that the above is possible if the user is
colorblind, or in a monochrome display, or something along the lines,
please provide a rationale which explains why the changes you propose
would be then useful to the 99% other users.

* * *

if you think I may have misunderstood your bug report, please say so
and point the flaws in my interpretation.

if you don't agree with my reasoning above, please say so and we'll
wait for Marco's opinion.

thanks,

--
Adeodato Sim�
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

America may be unique in being a country which has leapt from barbarism
to decadence without touching civilization.
-- John O'Hara



--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

tags -security
close
thanks

Silly me. I knew I didn't temper with the coloring scheme. What I
didn't know was I got it when I included my friend's .muttrc. Silly
silly silly me. I'm sorry.

You are correct, Adeodato, in all respects.

Thanks for your patience.

J.

--
"To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
where this started and I think it goes back to the time I went to the circus,
and a clown killed my dad."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBGt+S+uczK20Fa5cRArqsAKCfztNV9Kw4U65x8ICtoD1SaQ23eQCfeYcy db7BFKjF+Q7xFTfOvjW56VY=
=q9Nx
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)