Vulnerability Report For Network Associates PGP Keyserver 7.0 for Windows NT/2000 and UNIX

Advisory ID Internal
CORE-2001-0813

Bugtraq ID: None currently assigned.

CVE Name: None currently assigned.

Title: Network Associates PGP Keyserver 7.0 Administration Web Console Multiple Vulnerabilities

Class: Access Validation Error/Design Error

Remotely Exploitable: Yes

Locally Exploitable: Yes


Vulnerability Description

PGP Keyserver is a product aimed primarily for storage and retrieval of public keys. It acts both as HTTP and LDAP server for this purpose. Web Console is the Web-based portion of the software that gives administrators the ability to remotely monitor and manage their PGP Keyserver. There exist several security flaws in the Web Console system that can allow an attacker to gain full control of server configuration.

Taking advantage of console's configuration functionalities an attacker is able to read and overwrite almost any file on the system. Carefully overwriting files could also allow an intruder to run arbitrary commands on the server.


Vulnerable Packages/Systems


- PGP Keyserver 7.0 for Windows NT/2000

- PGP Keyserver 7.0 for Solaris

 


Solution/Vendor Information/Workaround

A simple solution to the authentication problem is to reconfigure the Apache server editing the httpd.conf file located at (SERVER ROOT PATH)\Web\conf\httpd.conf, setting proper restrictions to the "/cgi-bin" directory.

The access to the file system through the console is a design problem that would not be dangerous if a secure authentication were used.


Credits

These vulnerabilities were discovered by Core Security Technologies.


Technical Description - Exploit/Concept Code

The Web Console system is implemented over an Apache Web Server, it uses SSL encryption protocol and listens, by default, on the standard HTTPS port 443.

The default authentication method used is "Basic HTTP authentication", this means that the web browser will ask for an username and password to allow access to the console. Looking at the file configuration portion below we will notice that the access restrictions are applied over the CGI files, but due to the format used to write the rule it could be easily bypassed.

Example:

If an attacker connects to the url:

"https://server:port/keyserver/cgi-bin/cs.exe"

the server will require a valid password to give access to the console CGI.


But if instead the intruder uses the same url but without the file extension, he/she will access without restrictions:

"https://(server:port)/keyserver/cgi-bin/cs"


The same happens with all the scripts:

https://(server:port)/keyserver/cgi-bin/console?_page=panel

https://(server:port)/keyserver/cgi-bin/multi_config?


------------------------------httpd.conf--------------------------------

....

ScriptAlias /keyserver/cgi-bin/ "E:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin/"

Alias /keyserver "E:/Program Files/Network Associates/PGP Keyserver/Web/keyserver/"

Alias /keyserver/docs/ "E:/Program Files/Network Associates/PGP Keyserver/Web/../Documentation/"

Alias /keyserver/images/ "E:/Program Files/Network Associates/PGP Keyserver/Web/htdocs/images/"

 

<Location ~ "/keyserver/cgi-bin/(console|cs|multi_config)\.(pl|exe)">

Order allow,deny

Allow from all

require valid-user

AuthType Basic

AuthName "PGP Keyserver Administration"

AuthUserFile "E:/Program Files/Network Associates/PGP Keyserver/Web/.allowed-admin"

</Location>

 

....

------------------------------httpd.conf--------------------------------

 

Through the friendly console forms it is possible to read any ascii file on the system performing a simple trick:


How to read a file:

1 - Point your browser to:

https://(server:port)/keyserver/cgi-bin/cs?_page=access

A form will be shown, allowing you to select the "Access log file"

You can fill this field with the path to any file on the system.

 

2 - Click the "Save Changes" button located in the top of the page.

 

3 - Now, connect to

https://(server:port)/keyserver/cgi-bin/console?_page=panel

You will see several buttons, click over "Restart server" to

activate the new configuration.

 

4 - Now go to:

https://(server:port)/keyserver/cgi-bin/console?page_size=50&refresh_interval=0&_page=log

and you will receive the file content.

 

Note:

The file will be written when any event happens, you can read the content and restore the configuration. You can use these steps to read the password file ".allowed-admin" where the admin username and password hash are stored, that could be brute forced (SHA1/base64).

 


How to write a file:


1 - Put this url in your browser:

https://(server:port)/keyserver/cgi-bin/cs?_page=selectconfig

A form will be shown, allowing you to select the "Configuration File Name"

You can fill this field with the path to any existent file on the system.

 

2 - Press the "Fetch" button.

 

3 - Go to any of the configuration sections and click in the "Save changes" button

the file will be overwritten. You can control only partially the data that is going

to be written, filling certain configuration fields.

 


*DISCLAIMER*

The contents of this advisory are copyright (c) 2001 Core Security Technologies, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: PGPKeyServer70_web_console-advisory.txt,v 1.4 2003/04/23 18:55:52 carlos Exp $