lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20111219134224.3167d7aa@sec-consult.com>
Date: Mon, 19 Dec 2011 13:42:24 +0100
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: bugtraq <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20111219-0 :: Client-side remote
 arbitrary file upload in SecCommerce SecSigner Java Applet

SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >
=======================================================================
              title: Client-side remote arbitrary file upload
            product: SecCommerce SecSigner Java Applet 
 vulnerable version: 3.5.0 < build 2011/11/12
      fixed version: 3.5.0 build
                     4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
                     created 2011/11/25
             impact: critical
           homepage: https://www.seccommerce.de/en/products-en/secsigner.html
	      found: 2011/10/21
                 by: E. Demeter / SEC Consult Vulnerability Lab
                     J. Greil / SEC Consult Vulnerability Lab
		     http://www.sec-consult.com
=======================================================================


Vendor description:
-------------------
"Qualified and advances electronic signatures may be created and
validated using SecSigner. Signing documents electronically allows for
workflow scenarios and contracting avoiding any media conversion.
SecSigner 3.5.0 is currently available on our web site. 

For this version, a manufacturer's declaration according to German
signature law is available at the corresponding regulatory authority.
The parent version 2.0.0 has been certified by the German Federal
Office for Information Security (BSI)according to ITSEC E2/high."

https://www.seccommerce.de/en/products-en/secsigner.html


Vulnerability overview/description:
-----------------------------------
The signed Java applet SecSigner uses the file "secsigner.properties" to
configure certain settings of the applet. Amongst others, it is
possible to set the variable "seccommerce.resource", which defines a
file that is loaded during the execution of the applet to supply
additional functionality.

If the setting "seccommerce.resource.localcopy" is set to "on", this
file is saved in the defined local temporary folder
"%user%\.seccommerce" on the client. It is however possible to define
any different relative path (path traversal) for that file. The only
requirement that is needed is that the same path also exists on the
webserver the applet is executed from. Any arbitrary file can be chosen
to be used for the "seccommerce.resource" file.

An attacker is able to upload arbitrary files to an arbitrary path on
the victim's computer. E.g., if a malicious executable is uploaded to
the Windows "startup" folder, it is being executed at the next reboot.

This vulnerability is only a sample, no further investigations
regarding the security quality of the product have been performed.


Proof of concept:
-----------------
No exploit code will be published.


Vulnerable / tested versions:
-----------------------------
SecSigner 3.5.0


Vendor contact timeline:
------------------------
2011-11-10: Contacting vendor through info@...commerce.de, asking for
            security contact
2011-11-10/2011-11-11: Exchanging emails & encryption key, sending
            security advisory
2011-11-11: Explaining the vulnerability to the vendor, sending details
            that it is exploitable
2011-11-12: Vendor releases first fixed version
2011-11-14: Contacting CERT
2011-11-12/25: Vendor releases newer versions
2011-12-19: Coordinated public release of advisory


Solution:
---------
Apply the fix of the vendor and only use the latest version:

Build 4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
Version 3.5.0 created 2011/11/25

https://www.seccommerce.de/en/products-en/secsigner.html


Workaround:
-----------

Only use the fixed version and invalidate the old Java applet
certificate!

Remove the affected trusted certificate of SecSigner/SecCommerce from
the Java control panel (jcontrol) from all clients and add it to the
Oracle Java blacklist:
Java\jre6\lib\security\blacklist


Don't fully trust signed Java applets (in general).


Advisory URL:
-------------
http://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
http://www.sec-consult.com

EOF E. Demeter, J. Greil / @2011

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ