[NT] Cross-Site Scripting in Verisign's haydn.exe CGI Script

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Cross-Site Scripting in Verisign's haydn.exe CGI Script
------------------------------------------------------------------------


SUMMARY

The haydn.exe file is used as a CGI common component in various Verisign
products, including those aimed at Digital ID certificate enrollment,
revocation and validation of server certificates.

A cross-site scripting vulnerability found in Verisign's haydn.exe could
allow an attacker to execute scripting code in the machine of a user
within the user's web browser with the same trust level as that of the
site hosting the haydn.exe file (this is usually a trusted site, since it
is used to enroll, revoke or validate certificates).

A malicious web site could use this vulnerability to spoof the results of
certificate validation operations that are performed on a trusted site
that uses the vulnerable executable.

DETAILS

Vulnerable Systems:
* MPKI version 6.0

Solution/Vendor Information:
Fix information provided by the vendor:

"VeriSign appreciates Core Security for bringing this to our attention. To
ensure appropriate management of error messages the creation of a default
HTML file must be constructed. To do this perform the following:

Create a blank html file in the '<local hosting install
directory>/htmldocs/' directory labeled 'fdf_noHTMLFile.html'"

Technical Description - Exploit/Concept Code:
The vulnerability is classified as common Cross Site Scripting bug due to
the lack of user input validation in parameters passed to the CGI
component.

It is possible to specify arbitrary input (ie. HTML or Javascript code) to
haydn.exe in the VHTML_FILE parameter. Upon an error condition haydn.exe
will exit returning not sanitized input to the web server which will in
turn pass it on to the client browser.

The vulnerability can be verified issuing the following request to
haydn.exe:
https://<site>/cgi-bin/haydn.exe?VHTML_FILE=test<body
onload=javascript:alert('fixme!')>file_name</body>.htm

The use of Javascript is for demonstration purposes only and could be
replaced with any static or dynamic code of the attacker's choice.

To determine if the vulnerability is present using the above example make
sure that the web browser is configured to allow Javascript execution.

An attacker could also choose to mimic the results of a successful
legitimate request to haydn.exe and thus subvert the operations of the
application using the vulnerable component.

Workaround:
Filter the content passed by the user in the VHTML_FILE field to only
allow valid characters on input before passing the request to haydn.exe.

Additionally, when passing back the output of haydn.exe to the client
browser sanitize the data to avoid passing back arbitrary code
(Javascript, HTML,etc) that could be rendered and executed by the user's
browser.

Additional information and References:
Cross-Site Scripting (commonly referred to as XSS) attacks are the result
of improper filtering of input obtained from untrusted sources. Basically,
they consist in the attacker injecting malicious tags and/or script code
that is executed by the user's web browser when accessing the vulnerable
web site. The injected code then takes advantage of the trust given by the
user to the vulnerable site. These attacks are usually targeted to all
users of a web application instead of the application itself (although one
could say that the users are affected because of a vulnerability of the
web application). The term cross-site scripting' is also sometimes used in
a broader sense referring to different types of attacks involving script
injection into the client.

HTML Code Injection and Cross-Site Scripting:
<http://www.owasp.org/documentation/topten/a4.html>
http://www.owasp.org/documentation/topten/a4.html

How To Prevent Cross-Site Scripting Security Issues:
<http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985>
http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985

How To Review ASP Code for CSSI Vulnerability:
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119

The Cross-Site Scripting FAQ (XSS):
<http://www.cgisecurity.com/articles/xss-faq.shtml>
http://www.cgisecurity.com/articles/xss-faq.shtml

Sample methods for JS-Injection: <http://www.websec.org/adv/js.html>
http://www.websec.org/adv/js.html

Vendors contacted:
2006-01-25: Notification sent to Verisign
2006-01-25: Notification acknowledged by Verisign
2006-01-26: Draft advisory with details sent to Verisign
2006-02-08: Vulnerability confirmed by Verisign
2006-03-17: Verisign's response with fix information
2006-03-20: CORE-2006-0124 Advisory released


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxxxxxxxx>
CORE Security Technologies Advisories.
The original article can be found at:
<http://www.coresecurity.com/common/showdoc.php?idx=522&idxseccion=10>
http://www.coresecurity.com/common/showdoc.php?idx=522&idxseccion=10



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages