exploit the possibilities

SecCommerce SecSigner Java Applet 3.5.0 File Upload

SecCommerce SecSigner Java Applet 3.5.0 File Upload
Posted Dec 19, 2011
Authored by Johannes Greil, Elisabeth Demeter | Site sec-consult.com

The SecCommerce SecSigner Java applet version 3.5.0 suffers from a client-side remote arbitrary file upload vulnerability.

tags | advisory, java, remote, arbitrary, file upload
MD5 | 97a68963b11eb9b926c5a86c12289388

SecCommerce SecSigner Java Applet 3.5.0 File Upload

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >
=======================================================================
title: Client-side remote arbitrary file upload
product: SecCommerce SecSigner Java Applet
vulnerable version: 3.5.0 < build 2011/11/12
fixed version: 3.5.0 build
4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
created 2011/11/25
impact: critical
homepage: https://www.seccommerce.de/en/products-en/secsigner.html
found: 2011/10/21
by: E. Demeter / SEC Consult Vulnerability Lab
J. Greil / SEC Consult Vulnerability Lab
http://www.sec-consult.com
=======================================================================


Vendor description:
-------------------
"Qualified and advances electronic signatures may be created and
validated using SecSigner. Signing documents electronically allows for
workflow scenarios and contracting avoiding any media conversion.
SecSigner 3.5.0 is currently available on our web site.

For this version, a manufacturer's declaration according to German
signature law is available at the corresponding regulatory authority.
The parent version 2.0.0 has been certified by the German Federal
Office for Information Security (BSI)according to ITSEC E2/high."

https://www.seccommerce.de/en/products-en/secsigner.html


Vulnerability overview/description:
-----------------------------------
The signed Java applet SecSigner uses the file "secsigner.properties" to
configure certain settings of the applet. Amongst others, it is
possible to set the variable "seccommerce.resource", which defines a
file that is loaded during the execution of the applet to supply
additional functionality.

If the setting "seccommerce.resource.localcopy" is set to "on", this
file is saved in the defined local temporary folder
"%user%\.seccommerce" on the client. It is however possible to define
any different relative path (path traversal) for that file. The only
requirement that is needed is that the same path also exists on the
webserver the applet is executed from. Any arbitrary file can be chosen
to be used for the "seccommerce.resource" file.

An attacker is able to upload arbitrary files to an arbitrary path on
the victim's computer. E.g., if a malicious executable is uploaded to
the Windows "startup" folder, it is being executed at the next reboot.

This vulnerability is only a sample, no further investigations
regarding the security quality of the product have been performed.


Proof of concept:
-----------------
No exploit code will be published.


Vulnerable / tested versions:
-----------------------------
SecSigner 3.5.0


Vendor contact timeline:
------------------------
2011-11-10: Contacting vendor through info@seccommerce.de, asking for
security contact
2011-11-10/2011-11-11: Exchanging emails & encryption key, sending
security advisory
2011-11-11: Explaining the vulnerability to the vendor, sending details
that it is exploitable
2011-11-12: Vendor releases first fixed version
2011-11-14: Contacting CERT
2011-11-12/25: Vendor releases newer versions
2011-12-19: Coordinated public release of advisory


Solution:
---------
Apply the fix of the vendor and only use the latest version:

Build 4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
Version 3.5.0 created 2011/11/25

https://www.seccommerce.de/en/products-en/secsigner.html


Workaround:
-----------

Only use the fixed version and invalidate the old Java applet
certificate!

Remove the affected trusted certificate of SecSigner/SecCommerce from
the Java control panel (jcontrol) from all clients and add it to the
Oracle Java blacklist:
Java\jre6\lib\security\blacklist


Don't fully trust signed Java applets (in general).


Advisory URL:
-------------
http://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
http://www.sec-consult.com

EOF E. Demeter, J. Greil / @2011

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    19 Files
  • 26
    Jun 26th
    10 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close