Client-side remote arbitrary file upload

SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >

=======================================================================

title: Client-side remote arbitrary file upload

product: SecCommerce SecSigner Java Applet

vulnerable version: 3.5.0 < build 2011/11/12

fixed version: 3.5.0 build

4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D

created 2011/11/25

impact: critical

homepage: www.seccommerce.de/en/products-en/secsigner.html

found: 2011/10/21

by: E. Demeter / SEC Consult Vulnerability Lab

J. Greil / SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

 

Vendor description:

-------------------

"Qualified and advances electronic signatures may be created and validated

using SecSigner. Signing documents electronically allows for workflow

scenarios and contracting avoiding any media conversion. SecSigner 3.5.0 is

currently available on our web site.

 

For this version, a manufacturer's declaration according to German signature

law is available at the corresponding regulatory authority. The parent

version 2.0.0 has been certified by the German Federal Office for

Information Security (BSI)according to ITSEC E2/high."

 

www.seccommerce.de/en/products-en/secsigner.html

 

 

Vulnerability overview/description:

-----------------------------------

The signed Java applet SecSigner uses the file "secsigner.properties" to

configure certain settings of the applet. Amongst others, it is possible to

set the variable "seccommerce.resource", which defines a file that is loaded

during the execution of the applet to supply additional functionality.

 

If the setting "seccommerce.resource.localcopy" is set to "on", this file is

saved in the defined local temporary folder "%user%\.seccommerce" on the

client. It is however possible to define any different relative path (path

traversal) for that file. The only requirement that is needed is that the

same path also exists on the webserver the applet is executed from. Any

arbitrary file can be chosen to be used for the "seccommerce.resource" file.

 

An attacker is able to upload arbitrary files to an arbitrary path on the

victim's computer. E.g., if a malicious executable is uploaded to the Windows

"startup" folder, it is being executed at the next reboot.

 

This vulnerability is only a sample, no further investigations regarding the

security quality of the product have been performed.

 

 

Proof of concept:

-----------------

No exploit code will be published.

 

 

Vulnerable / tested versions:

-----------------------------

SecSigner 3.5.0

 

 

Vendor contact timeline:

------------------------

2011-11-10: Contacting vendor through info@seccommerce.de, asking for security

contact

2011-11-10/2011-11-11: Exchanging emails & encryption key, sending security

advisory

2011-11-11: Explaining the vulnerability to the vendor, sending details that

it is exploitable

2011-11-12: Vendor releases first fixed version

2011-11-14: Contacting CERT

2011-11-12/25: Vendor releases newer versions

2011-12-19: Coordinated public release of advisory

 

 

Solution:

---------

Apply the fix of the vendor and only use the latest version:

 

Build 4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D

Version 3.5.0 created 2011/11/25

 

www.seccommerce.de/en/products-en/secsigner.html

 

 

Workaround:

-----------

 

Only use the fixed version and invalidate the old Java applet certificate!

 

Remove the affected trusted certificate of SecSigner/SecCommerce from the Java

control panel (jcontrol) from all clients and add it to the Oracle Java

blacklist:

Java\jre6\lib\security\blacklist

 

 

Don't fully trust signed Java applets (in general).

 

 

Advisory URL:

-------------

www.sec-consult.com/vulnerability-lab/

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF E. Demeter, J. Greil / @2011