Core Security Technologies - Corelabs Advisory
                  http://www.coresecurity.com/corelabs/

          Cross-Site Scripting in Verisign’s haydn.exe CGI script



Date Published: 2006-03-20

Last Update: 2006-03-20

Advisory ID: CORE-2006-0124

Bugtraq ID: None currently assigned

CVE Name: None currently assigned

Title: Cross-Site Scripting in Verisign’s haydn.exe CGI script

Class: Input Validation Error

Remotely Exploitable: Yes

Locally Exploitable: No

Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=522&idxseccion=10

Vendors contacted:
 2006-01-25: Notification sent to Verisign
 2006-01-25: Notification acknowledged by Verisign
 2006-01-26: Draft advisory with details sent to Verisign
 2006-02-08: Vulnerability confirmed by Verisign
 2006-03-17: Verisign's response with fix information
 2006-03-20: CORE-2006-0124 Advisory released


Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

 The haydn.exe file is used as a CGI common component in various
 Verisign products, including those aimed at Digital ID certificate
 enrollment, revocation and validation of server certificates.


 A cross-site scripting vulnerability found in Verisign’s haydn.exe
 could allow an attacker to execute scripting code in the machine of
 a user within the user's web browser with the same trust level as that
 of the site  hosting the haydn.exe file (this is usually a trusted
 site, since it is used  to enroll, revoke or  validate certificates).

 A malicious web site could use this vulnerability to spoof the
 results of certificate validation operations that are performed on
 a trusted site that uses the vulnerable executable.

*Vulnerable Packages:*

 Vulnerable package information provided by the vendor
  - MPKI 6.0

*Solution/Vendor Information:*

 Fix information provided by the vendor:

 "VeriSign appreciates Core Security for bringing this to our attention.
  To ensure appropriate management of error messages the creation of a
  default HTML file must be constructed. To do this perform the
  following:

  Create a blank html file in the  '<local hosting install
  directory>/htmldocs/' directory labeled 'fdf_noHTMLFile.html'
 "

*Credits:*

 This vulnerability was found by Alberto Soliño from Core Security
 Technologies.


*Technical Description - Exploit/Concept Code:*

 The vulnerability is classified as common Cross Site Scripting bug due
 to the lack of user input validation in parameters passed to the CGI
 component.

 It is possible to specify arbitrary input (ie. HTML or Javascript code)
 to haydn.exe in the VHTML_FILE parameter. Upon an error condition
 haydn.exe will exit returning not sanitized input to the web server
 which will in turn pass it on to the client browser.

 The vulnerability can be verified issuing the following request to
 haydn.exe:

 https://<site>/cgi-bin/haydn.exe?VHTML_FILE=test<body
 onload=javascript:alert('fixme!')>file_name</body>.htm

 The use of Javascript is for demonstration purposes only and could be
 replaced with any static or dynamic code of the attacker's choice.

 To determine if the vulnerability is present using the above example
 make sure that the web browser is configured to allow Javascript
 execution.

 An attacker could also choose to mimic the results of a successful
 legitimate request to haydn.exe and thus subvert the operations of the
 application using the vulnerable component.

*Workaround:*

 Filter the content passed by the user in the VHTML_FILE field to only
 allow valid characters on input before passing the request to
 haydn.exe.

 Additionally, when passing back the output of haydn.exe to the client
 browser sanitize the data to avoid passing back arbitrary code
 (Javascript, HTML,etc) that could be rendered and executed by the
 user's browser.


*Additional information and References*

 Cross-Site Scripting (commonly referred to as XSS) attacks are the
 result of improper filtering of input obtained from untrusted sources.
 Basically, they consist in the attacker injecting malicious
 tags and/or script code that is executed by the user's web browser
 when accessing the vulnerable web site. The injected code then takes
 advantage of the trust given by the user to the vulnerable site.
 These attacks are usually targeted to all users of a web application
 instead of the application itself (although one could say that the
 users are affected because of a vulnerability of the web application).
 The term ‘cross-site scripting' is also sometimes used in a broader
 sense  referring to different types of attacks involving script
 injection into the client.


 HTML Code Injection and Cross-Site Scripting:
 http://www.owasp.org/documentation/topten/a4.html


 How To Prevent Cross-Site Scripting Security Issues:
 http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985

 How To Review ASP Code for CSSI Vulnerability:
 http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119

 The Cross-Site Scripting FAQ (XSS):
 http://www.cgisecurity.com/articles/xss-faq.shtml

 Sample methods for JS-Injection:
 http://www.websec.org/adv/js.html


*About CoreLabs*

 CoreLabs, the research center of Core Security Technologies, is charged
 with anticipating the future needs and requirements for information
 security technologies.
 We conduct our research in several important areas of computer security
 including system vulnerabilities, cyber attack planning and simulation,
 source code auditing, and cryptography. Our results include problem
 formalization, identification of vulnerabilities, novel solutions and
 prototypes for new technologies.

 CoreLabs regularly publishes security
 advisories, technical papers, project information and shared software
 tools for public use at:  http://www.coresecurity.com/corelabs/


*About Core Security Technologies*

 Core Security Technologies develops strategic solutions that help
 security-conscious organizations worldwide. The company’s flagship
 product, CORE IMPACT, is the first automated penetration testing
 product for assessing specific information security threats to an
 organization. Penetration testing evaluates overall network security
 and identifies what resources are exposed. It enables organizations to
 determine if current security investments are detecting and preventing
 attacks.
 Core augments its leading technology solution with world-class security
 consulting services, including penetration testing, software security
 auditing and related training.

 Headquartered in Boston, MA, Core Security Technologies can be reached
 at 617-399-6980 or on the Web at http://www.coresecurity.com.


*DISCLAIMER:*

 The contents of this advisory are copyright (c) 2006 CORE Security
 Technologies and (c) 2006 Corelabs, and may be distributed freely
 provided that no fee is charged for this distribution and proper
 credit is given.

$Id: verisign-advisory.txt,v 1.8 2006/03/20 22:29:39 iarce Exp $