NAI Net Tools PKI Server Vulnerabilities

Advisory ID Internal
CORE-080200

Advisory Information:

Advisory ID: CORE-080200
CVE Name: CVE-2000-0740, CVE-2000-0739, CVE-2000-0741
Bugtraq ID: 1536, 1537, 1538

Buenos Aires, Argentina

While investigating the exploitability of a buffer overflow in the Net Tools PKI Server from Network Associates Inc. we discovered three new vulnerabilities not fixed by hotfix 1, released to fix problems reported by Jim Stickley from Garrison Technologies Inc.

See http://www.securityfocus.com/bid/1363 and http://www.securityfocus.com/bin/1364)

Problem Description:

Problem #1: Buffer overflow in strong.exe

A buffer overflow in the web server component of the Net Tools PKI server allows a remote attacker to execute arbitrary code as SYSTEM on the machine running it.
To determine whether anyone has attempted to exploit this vulnerability, check the enroll-access.log and the admin-access.log files in the WebServer/logs directory of your Net Tools PKI Server installation. Search for any log entries which are excessively long (greater than 500 characters). Each log entry can then be examined to see the IP address of the computer that submitted the request.

Problem #2: Directory traversal vulnerability

The default installation of Net Tools PKI server allows a remote attacker to view and download any file residing on the server.

To determine whether anyone has attempted to exploit this vulnerability, check the enroll-access.log and the admin-access.log files in the WebServer/logs directory of your Net Tools PKI Server installation. Search for any log entries
containing ".." within them. Each log entry can then be examined to see the IP address of the computer that submitted the request.

Problem #3: Format strings with user supplied data

The Net Tools PKI Server fail to validate properly the data passed as arguments to the server's logging routines and allows a remote attacker to execute arbitary code as SYSTEM on the machine running it.

Impact:

Problem #1: Remote unauthenticated access to the PKI Server, execution of arbitrary commands as the user running the enrollment server (System)
Problem #2: Remote unauthenticated access to any file on the PKI Server
Problem #3: Remote unauthenticated access to the PKI Server, execution of arbitrary commands as the user running the enrollment server (System)

Technical Details:

Problem #1: Buffer overflow in strong.exe
Strong.exe is the web server component of the PKI Server, it services requests over SSL on ports 443/tcp, 444/tcp and 445/tcp (default ports).
While connections to port 443/tcp require both client and server autentication using certificates, connections to port 444/tcp requires no client authentication, therefore any user with network connectivity to the PKI server can connect via HTTPS to that port.

The service running on port 443/tcp is called the Administrative Web Server and its therefore obvious the requirement for mutual authentication.

The service running on port 444/tcp is the Enrollment Web Server and does not require a client side certificate by default.

Both web servers are actually Virtual servers serviced by strong.exe
A buffer overflow is present in the function that generates log data, that allows to overwrite the stack using user supplied data passed to the server as an URL in the HTTPS request.