SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >
=======================================================================
title: Client-side remote arbitrary file upload
product: SecCommerce SecSigner Java Applet
vulnerable version: 3.5.0 < build 2011/11/12
fixed version: 3.5.0 build
4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
created 2011/11/25
impact: critical
homepage: www.seccommerce.de/en/products-en/secsigner.html
found: 2011/10/21
by: E. Demeter / SEC Consult Vulnerability Lab
J. Greil / SEC Consult Vulnerability Lab
=======================================================================
Vendor description:
-------------------
"Qualified and advances electronic signatures may be created and validated
using SecSigner. Signing documents electronically allows for workflow
scenarios and contracting avoiding any media conversion. SecSigner 3.5.0 is
currently available on our web site.
For this version, a manufacturer's declaration according to German signature
law is available at the corresponding regulatory authority. The parent
version 2.0.0 has been certified by the German Federal Office for
Information Security (BSI)according to ITSEC E2/high."
www.seccommerce.de/en/products-en/secsigner.html
Vulnerability overview/description:
-----------------------------------
The signed Java applet SecSigner uses the file "secsigner.properties" to
configure certain settings of the applet. Amongst others, it is possible to
set the variable "seccommerce.resource", which defines a file that is loaded
during the execution of the applet to supply additional functionality.
If the setting "seccommerce.resource.localcopy" is set to "on", this file is
saved in the defined local temporary folder "%user%\.seccommerce" on the
client. It is however possible to define any different relative path (path
traversal) for that file. The only requirement that is needed is that the
same path also exists on the webserver the applet is executed from. Any
arbitrary file can be chosen to be used for the "seccommerce.resource" file.
An attacker is able to upload arbitrary files to an arbitrary path on the
victim's computer. E.g., if a malicious executable is uploaded to the Windows
"startup" folder, it is being executed at the next reboot.
This vulnerability is only a sample, no further investigations regarding the
security quality of the product have been performed.
Proof of concept:
-----------------
No exploit code will be published.
Vulnerable / tested versions:
-----------------------------
SecSigner 3.5.0
Vendor contact timeline:
------------------------
2011-11-10: Contacting vendor through info@seccommerce.de, asking for security
contact
2011-11-10/2011-11-11: Exchanging emails & encryption key, sending security
advisory
2011-11-11: Explaining the vulnerability to the vendor, sending details that
it is exploitable
2011-11-12: Vendor releases first fixed version
2011-11-14: Contacting CERT
2011-11-12/25: Vendor releases newer versions
2011-12-19: Coordinated public release of advisory
Solution:
---------
Apply the fix of the vendor and only use the latest version:
Build 4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
Version 3.5.0 created 2011/11/25
www.seccommerce.de/en/products-en/secsigner.html
Workaround:
-----------
Only use the fixed version and invalidate the old Java applet certificate!
Remove the affected trusted certificate of SecSigner/SecCommerce from the Java
control panel (jcontrol) from all clients and add it to the Oracle Java
blacklist:
Java\jre6\lib\security\blacklist
Don't fully trust signed Java applets (in general).
Advisory URL:
-------------
www.sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
EOF E. Demeter, J. Greil / @2011