[ 05Dec2001 Note: Valicert's official response was posted to their web site on December 4th, 2001 (the date of November 28th was the date we received it as a proprietary and confidential document, hence why we did not include details from it). The web address is http://www.valicert.com/support/security_advisory_eva.html ] _______________________________________________________________________________ * Information Anarchy 2K01 * Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Cyberiad [cyberiad@nmrc.org] Phuzzy L0gic [phyz@nmrc.org] 04Dec2001 _______________________________________________________________________________ Platforms : Windows NT 4.0 with SP6a : Windows 2000 Server : Solaris 2.6-2.8 : AIX 4.3.3 : HP-UX 11.0 Application : ValiCert Enterprise VA v3.3 - 4.2.1 releases (www.valicert.com) Severity : Various Synopsis -------- Valicert Enterprise VA provides validity status responses for X.509 certificates and supports the following verification mechanisms: - Certificate Revocation Lists - CRL Distribution Points - Online Certificate Status Protocol The Enterprise VA product architecture consists of: Enterprise VA Administration Server for performing management activities Enterprise VA Host Server for processing validation requests VA API defining custom extensions to Enterprise VA. Numerous vulnerabilities have been located in a CGI script used by the Enterprise VA Administration Server ranging from information gathering to system compromise. [Taken from www.valicert.com] - "ValiCert provides secure solutions for paperless e-business. Customers across the globe use our products and services to help migrate costly or inefficient business processes to the Internet, while maintaining the highest degree of trust and security." Tested configuration -------------------- Testing was done with the following configurations: Microsoft Windows NT Server 4.0 Microsoft Windows NT Service Pack 6a The Solaris version was also tested and found to be vulnerable to most of the overflow issues and one unique issue listed as issue #3. The vendor, ValiCert - www.valicert.com, has confirmed that all of the above named versions and operating systems are vulnerable. Issue #1 - Path Disclosure -------------------------- A path disclosure issue exists in the forms.exe CGI script used by Valicert when an new extension is added. Valicert can be extended by adding new extensions which are processed by custom policies. The following URL adds the extension, ldp: http://computer:13333/cgi-bin/forms.exe?extension=ldp&command=Add+Extension When an invalid extension, such as foobar, is provided in the following URL: http://computer:13333/cgi-bin/forms.exe?extension=foobar&command=Add+Extension the server returns an error page with the following text: Following Input/Configuration file is NOT FOUND in the required location. FILENAME = foobar LOCATION = D:\Program Files\ValiCert\EnterpriseVA\entserv Make sure the file is present in the above location and try again. Revealing the path to the Valicert installation. Issue #2 - Cross Site Scripting Problem ---------------------------------------- Due to the lack of input validation and filtering, a cross-site scripting issue exists in the certificate creation of the Valicert Administrative interface. A user creating a certificate can insert HTML code into the descriptive fields. If the certificate is viewed through the Valicert Administrative server, the HTML is interpreted and any scripting is executed. As an example, HTML code can be inserted into the organizational name which is interpreted upon certificate display. In doing so, a dialog box could be displayed, prompting the operator to enter a password. Though it is not possible to access unauthorized resources, it could be used to engineer an individual administering the Valicert server into entering sensitive data. If the Administrative server is protected with a password, only those individuals with the proper username/password can create such a certificate containing malicious data in the fields. Issue #3 - Random Key Generation Issue -------------------------------------- Valicert generates 'random' tokens for communication with Hardware Security Modules (securely stores digital certificates) using the C rand() function call. Furthermore, the C rand() function is seeded using local system time. Aside from the fact that the value is in itself predictible, system clock ticks are generally not finite enough to be used as a good, sole source of entropy. Seeding using local system time will guarantee that the values outputted will linearly increase. Lastly, if the '/dev/urandom' device exists, Valicert will use it by default for certificate generation. Although for most purposes the '/dev/urandom' device is sufficiently safe, it does not perform blocking when its entropy pool is low. Taking into consideration that within a PKI, non-repudiation (in the business, not the mathematical sense) is paramount, the behavior of the '/dev/random' device is much more favourable. Issue #4 - Multiple Buffer Overflows ------------------------------------ Multiple buffer overflows exist in the CGI script, forms.exe, which is used by the Valicert Enterprise VA Administration Server for management activities. By default the Administration Server listens on TCP port 13333 and can be configured to require a username and password for access. Using the Apache v1.3.6 web server for Win32, the Administration Server allows an operator to use a Web browser to: configure the Enterprise VA Host server start/stop the Enterprise VA Host server request product keys and licenses create key pairs add certificates add or modify certificate stores add and configure extensions view logs In total, fourteen (14) independent and exploitable overflows in parameters to forms.exe have been identified which allow for code to be executed with SYSTEM privileges. If the Administrative Server has been configured to require a username and password for access, the attacker requires the correct username and password to launch these attacks. Mode Overflow: ------------- The following URL is used to switch to server configuration mode, http://localhost:13333/cgi-bin/forms.exe?command=change_index_mode&mode=config Providing a mode string of 265 bytes overflows a buffer during a copy located at 0x0040acf8 in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040adf9. http://localhost:13333/cgi-bin/forms.exe?forms.exe?command=change_index_mode&mode={A x 265} Analysis of the code and stack contents reveals that the unchecked buffer is 256 bytes long, followed by two pointers or 32-bit integers on the stack and then the return address. Certificate_File Overflow: ------------------------- The following URL is used to create a Microsoft-type certificate. Providing a Certificate_Files parameter of 1028 bytes overflows a buffer during a copy located at 0x0040599a in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x00405cb8. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?CertServerSelection =Microsoft&Certificate_Type=SHARE&Certificate_Files ={A x 1028}&command=Submit+Certificate+Type Analysis of the code and stack contents reveals that the unchecked buffer is 1024 bytes long, immediately followed by the return address on the stack. useExpiredCRLs Overflow: ------------------------ The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the useExpiredCRLs parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b9dc in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen =20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs={A x 1288}&maxOCSPValidityPeriod =0&command=Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. listenLength Overflow: --------------------- The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the listenLength parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b54e in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength={A x 1288}&maxThread=16&maxConnPerSite=100&maxMsgLen =20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command =Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. maxThread Overflow: ------------------ The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the maxThread parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b5f3 in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread={A x 1288}&maxConnPerSite=100&maxMsgLen =20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command =Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. maxConnPerSite Overflow: ----------------------- The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the maxConnPerSite parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b67f in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread=16&maxConnPerSite={A x 1288}&maxMsgLen =20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command =Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. maxMsgLen Overflow: ------------------ The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the maxMsgLen parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b70b in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen ={A x 1288}&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command =Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. exitTime Overflow: ----------------- The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the exitTime parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b797 in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen =20000&exitTime={A x 1288}&blockTime=5&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command =Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. blockTime Overflow: ------------------ The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the blockTime parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b823 in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen =20000&exitTime=-1&blockTime={A x 1288}&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command =Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. nextUpdatePeriod Overflow: ------------------------- The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the blockTime parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b8af in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen =20000&exitTime=-1&blockTime=5&nextUpdatePeriod={A x 1288}&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod=0&command =Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. buildLocal Overflow: ------------------- The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the buildLocal parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040b950 in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen =20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal={A x 1288}&useSoftwareSigning =Software&sslSigningType=Software&sslServerHost=&sslCertFile =sslCert.cert&sslPrivateKey=ssl.privkey&useExpiredCRLs =0&maxOCSPValidityPeriod=0&command=Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. maxOCSPValidityPeriod Overflow: ------------------------------ The following URL is used to reconfigure the Valicert server which responds to validation requests. Providing the maxOCSPValidityPeriod parameter a value of 1288 bytes overflows a buffer during a copy located at 0x0040ba68 in forms.exe and overwrites the return address which is popped off the stack at the subroutine return located at 0x0040bb17. [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?serverHost=computer&port =80&listenLength=100&maxThread=16&maxConnPerSite=100&maxMsgLen =20000&exitTime=-1&blockTime=5&nextUpdatePeriod=300&logFile =logs%2Fva&buildLocal=1&useSoftwareSigning=Software&sslSigningType =Software&sslServerHost=&sslCertFile=sslCert.cert&sslPrivateKey =ssl.privkey&useExpiredCRLs=0&maxOCSPValidityPeriod={A x 1288}&command =Submit+Configuration+Parameters Analysis of the code and stack contents reveals that the unchecked buffer is 1284 bytes long, immediately followed by the return address on the stack. extension Overflows: ------------------- Valicert can be extended by adding new extensions which are processed by custom policies. Attempting to add an extension with a file name of 995 bytes in length overflows a buffer at an sprintf located at 0x00417A9B in forms.exe while the error message to be displayed to the client is constructed. The long string overwrites the return address which is popped off the stack at the subroutine return located at 0x00417AD0. http://localhost:13333/cgi-bin/forms.exe?extension={A x 995}&command=Add+Extension Analysis of the code and stack contents reveals that the subroutine starting at 0x0040FEC0 makes many unchecked copies while converting the extension parameter to an absolute filename (i.e. D:\Program Files\ValiCert\EnterpriseVA\entserv\AAA..) and checking for existence, etc. During the course of these copies, terminating null's in (assumed) fixed-length buffers containing the filename are overwritten. As a result, the absolute filename passed to the offending sprintf call is much longer than expected. A solution to the sprintf problem will still leave the overflows in 0x0040FEC0, which may possible be exploited. Private Key Generation Overflow: ------------------------------- The operator can use the Administrative Server to generate new private keys for SSL communications or use in signing OCSP responses. An overflow exists in the processing of requests for the generation of private keys. The following is one example of how this overflow can be triggered by requesting a new private key for SSL communications. Long strings in all other parameter values other than the: country_name gen_self_signed_cert command keytype parameters will also trigger the overflow and overwrite a return address on the stack. The following URL overwrites the return address with the opt_company_name value (xxxx). [The following URL is line wrapped] http://localhost:13333/cgi-bin/forms.exe?country_name=XX&state_name =XX&locality_name=XX&org_name=XX&org_unit_name=X&common_name=X&email_address =X@X&challenge_password={A x 833}&opt_company_name=xxxx&gen_self_signed_cert =1&command=Submit+SW+Certificate+Request&keytype=BASIC%3BKEY_1 Analysis of the code and stack contents reveals that the parameters: country_name state_name locality_name org_name org_unit_name common_name email_address challenge_password opt_company_name are parsed and then reformatted using an sprintf statement called at 0x402C2E8. The destination buffer is too small to contain the results and overflows, overwriting the return address with the value in the opt_company_name parameter. The corrupted return address is popped off the stack at 0x0040C58A. The following set of constraints must be met for the overflow to occur: a) The country_name parameter must be exactly two bytes long otherwise the offending sprintf call is never reached. b) The email_address parameter must be of the form string@string otherwise the offending sprintf call is never reached. c) The total length of all parameters must be 864 bytes for the result from sprintf to overwrite the return address. Longer lengths will cause the buffer overflow but will also overwrite parameters passed to the subroutine, causing the CGI script to crash before the subroutine terminates and pops off the corrupted return address. Vendor Response --------------- ValiCert provided NMRC with their own advisory listing mitigation and fix information but also informed NMRC that their advisory contains ValiCert Inc. confidential and proprietary information. Based on this we are unsure of what information we can provide as a vendor response and urge all customers of ValiCert to contact support@valicert.com for more information. NMRC Suggested Mitigation ------------------------ NMRC offers the following suggestions to prevent these vulnerabilities from being exploited: If remote web administration is required, do so over an SSL connection to prevent the admin user id and password from being captured. Otherwise, blocking TCP port 13333, which is used for remote admin would prevent the overflows from being sucessful. Comments -------- NMRC first made contact with ValiCert at support@valicert.com on November 3, 2001 and no response was received. As per the NMRC disclosure policy, we should have released this advisory after waiting for a period of 5 business days. Due to the massive amount of issues found with this product we decided to give ValiCert one last chance at a response and sent them an additional email, also to support@valicert.com, on November 14, 2001 and received a response a few days afterwards. ValiCert also asked NMRC to not release the full details of the problems reported, in particular the overflows, but it is our opinion that not releasing the details does not provide any additional protection as high level details are enough for an intelligent researcher to discover the complete details and in support of full disclosure we have refused to censor any details of the problems above. ValiCert has also asked NMRC not release this advisory for a period of 60 days based on how some of ValiCert's customers perform change control. We feel that something like a security patch warrants emergency change control and if ValiCert truly cared about their customers, they would have audited their code before releasing it. NMRC feels that the migitation techniques of firewalling the port used by remote administrators (most businesses, as a rule, do not allow port 13333 through their firewall anyway) is adequate protection from potential outside intruders. Besides, even CERT only gives 45 days. An archive of the email exchanges between ValiCert and NMRC will be available shortly at: www.nmrc.org/InfoAnarchy/VCert.txt This advisory has been released in support of Information Anarchy 2K01 www.nmrc.org/InfoAnarchy Greetz ------ eEye - keep the fight for full disclosure and don't sell out! Simple Nomad - we are taking over NMRC so stop yelling "Get off my lawn" :-) hellNbak - wrote this advisory and dealt with the vendor so he has to get his name somewhere. The rest of NMRC - thanks for supporting InfoAnarchy 2K01! You guys rock! RFP, Attrition, VulnWatch, and anyone else who supports FULL DISCLOSURE. ------- "If knowledge is power then power is free, support Responsible Full Disclosure" -- hellNbak, NMRC "I get the feeling that we can almost make a career out of providing security critique of their EVA product alone" -- Phuzzy L0gic, NMRC "It's almost like they had to try and make it this insecure" -- chameleon, Rhino9 ------- Copyright -------- This advisory is copyright 2001 NMRC - feel free to distribute it without edits but fear us if you use this advisory in any type of commercial endeavour.