[VulnWatch] CORE-2006-0124: Cross-Site Scripting in Verisign’s haydn.exe CGI script




Core Security Technologies - Corelabs Advisory
http://www.coresecurity.com/corelabs/

Cross-Site Scripting in Verisign’s haydn.exe CGI script



Date Published: 2006-03-20

Last Update: 2006-03-20

Advisory ID: CORE-2006-0124

Bugtraq ID: None currently assigned

CVE Name: None currently assigned

Title: Cross-Site Scripting in Verisign’s haydn.exe CGI script

Class: Input Validation Error

Remotely Exploitable: Yes

Locally Exploitable: No

Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=522&idxseccion=10

Vendors contacted:
2006-01-25: Notification sent to Verisign
2006-01-25: Notification acknowledged by Verisign
2006-01-26: Draft advisory with details sent to Verisign
2006-02-08: Vulnerability confirmed by Verisign
2006-03-17: Verisign's response with fix information
2006-03-20: CORE-2006-0124 Advisory released


Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

The haydn.exe file is used as a CGI common component in various
Verisign products, including those aimed at Digital ID certificate
enrollment, revocation and validation of server certificates.


A cross-site scripting vulnerability found in Verisign’s haydn.exe
could allow an attacker to execute scripting code in the machine of
a user within the user's web browser with the same trust level as that
of the site hosting the haydn.exe file (this is usually a trusted
site, since it is used to enroll, revoke or validate certificates).

A malicious web site could use this vulnerability to spoof the
results of certificate validation operations that are performed on
a trusted site that uses the vulnerable executable.

*Vulnerable Packages:*

Vulnerable package information provided by the vendor
- MPKI 6.0

*Solution/Vendor Information:*

Fix information provided by the vendor:

"VeriSign appreciates Core Security for bringing this to our attention.
To ensure appropriate management of error messages the creation of a
default HTML file must be constructed. To do this perform the
following:

Create a blank html file in the '<local hosting install
directory>/htmldocs/' directory labeled 'fdf_noHTMLFile.html'
"

*Credits:*

This vulnerability was found by Alberto Soliño from Core Security
Technologies.


*Technical Description - Exploit/Concept Code:*

The vulnerability is classified as common Cross Site Scripting bug due
to the lack of user input validation in parameters passed to the CGI
component.

It is possible to specify arbitrary input (ie. HTML or Javascript code)
to haydn.exe in the VHTML_FILE parameter. Upon an error condition
haydn.exe will exit returning not sanitized input to the web server
which will in turn pass it on to the client browser.

The vulnerability can be verified issuing the following request to
haydn.exe:

https://<site>/cgi-bin/haydn.exe?VHTML_FILE=test<body
onload=javascript:alert('fixme!')>file_name</body>.htm

The use of Javascript is for demonstration purposes only and could be
replaced with any static or dynamic code of the attacker's choice.

To determine if the vulnerability is present using the above example
make sure that the web browser is configured to allow Javascript
execution.

An attacker could also choose to mimic the results of a successful
legitimate request to haydn.exe and thus subvert the operations of the
application using the vulnerable component.

*Workaround:*

Filter the content passed by the user in the VHTML_FILE field to only
allow valid characters on input before passing the request to
haydn.exe.

Additionally, when passing back the output of haydn.exe to the client
browser sanitize the data to avoid passing back arbitrary code
(Javascript, HTML,etc) that could be rendered and executed by the
user's browser.


*Additional information and References*

Cross-Site Scripting (commonly referred to as XSS) attacks are the
result of improper filtering of input obtained from untrusted sources.
Basically, they consist in the attacker injecting malicious
tags and/or script code that is executed by the user's web browser
when accessing the vulnerable web site. The injected code then takes
advantage of the trust given by the user to the vulnerable site.
These attacks are usually targeted to all users of a web application
instead of the application itself (although one could say that the
users are affected because of a vulnerability of the web application).
The term ‘cross-site scripting' is also sometimes used in a broader
sense referring to different types of attacks involving script
injection into the client.


HTML Code Injection and Cross-Site Scripting:
http://www.owasp.org/documentation/topten/a4.html


How To Prevent Cross-Site Scripting Security Issues:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985

How To Review ASP Code for CSSI Vulnerability:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119

The Cross-Site Scripting FAQ (XSS):
http://www.cgisecurity.com/articles/xss-faq.shtml

Sample methods for JS-Injection:
http://www.websec.org/adv/js.html


*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.

CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at: http://www.coresecurity.com/corelabs/


*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide. The company’s flagship
product, CORE IMPACT, is the first automated penetration testing
product for assessing specific information security threats to an
organization. Penetration testing evaluates overall network security
and identifies what resources are exposed. It enables organizations to
determine if current security investments are detecting and preventing
attacks.
Core augments its leading technology solution with world-class security
consulting services, including penetration testing, software security
auditing and related training.

Headquartered in Boston, MA, Core Security Technologies can be reached
at 617-399-6980 or on the Web at http://www.coresecurity.com.


*DISCLAIMER:*

The contents of this advisory are copyright (c) 2006 CORE Security
Technologies and (c) 2006 Corelabs, and may be distributed freely
provided that no fee is charged for this distribution and proper
credit is given.

$Id: verisign-advisory.txt,v 1.8 2006/03/20 22:29:39 iarce Exp $



Relevant Pages