Core Security Technologies - Corelabs Advisory http://www.coresecurity.com/corelabs/ Cross-Site Scripting in Verisign?s haydn.exe CGI script Date Published: 2006-03-20 Last Update: 2006-03-20 Advisory ID: CORE-2006-0124 Bugtraq ID: None currently assigned CVE Name: None currently assigned Title: Cross-Site Scripting in Verisign?s haydn.exe CGI script Class: Input Validation Error Remotely Exploitable: Yes Locally Exploitable: No Advisory URL: http://www.coresecurity.com/common/showdoc.php?idx=522&idxseccion=10 Vendors contacted: 2006-01-25: Notification sent to Verisign 2006-01-25: Notification acknowledged by Verisign 2006-01-26: Draft advisory with details sent to Verisign 2006-02-08: Vulnerability confirmed by Verisign 2006-03-17: Verisign's response with fix information 2006-03-20: CORE-2006-0124 Advisory released Release Mode: COORDINATED RELEASE *Vulnerability Description:* The haydn.exe file is used as a CGI common component in various Verisign products, including those aimed at Digital ID certificate enrollment, revocation and validation of server certificates. A cross-site scripting vulnerability found in Verisign?s haydn.exe could allow an attacker to execute scripting code in the machine of a user within the user's web browser with the same trust level as that of the site hosting the haydn.exe file (this is usually a trusted site, since it is used to enroll, revoke or validate certificates). A malicious web site could use this vulnerability to spoof the results of certificate validation operations that are performed on a trusted site that uses the vulnerable executable. *Vulnerable Packages:* Vulnerable package information provided by the vendor - MPKI 6.0 *Solution/Vendor Information:* Fix information provided by the vendor: "VeriSign appreciates Core Security for bringing this to our attention. To ensure appropriate management of error messages the creation of a default HTML file must be constructed. To do this perform the following: Create a blank html file in the '<local hosting install directory>/htmldocs/' directory labeled 'fdf_noHTMLFile.html' " *Credits:* This vulnerability was found by Alberto Soli?o from Core Security Technologies. *Technical Description - Exploit/Concept Code:* The vulnerability is classified as common Cross Site Scripting bug due to the lack of user input validation in parameters passed to the CGI component. It is possible to specify arbitrary input (ie. HTML or Javascript code) to haydn.exe in the VHTML_FILE parameter. Upon an error condition haydn.exe will exit returning not sanitized input to the web server which will in turn pass it on to the client browser. The vulnerability can be verified issuing the following request to haydn.exe: https://<site>/cgi-bin/haydn.exe?VHTML_FILE=test<body onload=javascript:alert('fixme!')>file_name</body>.htm The use of Javascript is for demonstration purposes only and could be replaced with any static or dynamic code of the attacker's choice. To determine if the vulnerability is present using the above example make sure that the web browser is configured to allow Javascript execution. An attacker could also choose to mimic the results of a successful legitimate request to haydn.exe and thus subvert the operations of the application using the vulnerable component. *Workaround:* Filter the content passed by the user in the VHTML_FILE field to only allow valid characters on input before passing the request to haydn.exe. Additionally, when passing back the output of haydn.exe to the client browser sanitize the data to avoid passing back arbitrary code (Javascript, HTML,etc) that could be rendered and executed by the user's browser. *Additional information and References* Cross-Site Scripting (commonly referred to as XSS) attacks are the result of improper filtering of input obtained from untrusted sources. Basically, they consist in the attacker injecting malicious tags and/or script code that is executed by the user's web browser when accessing the vulnerable web site. The injected code then takes advantage of the trust given by the user to the vulnerable site. These attacks are usually targeted to all users of a web application instead of the application itself (although one could say that the users are affected because of a vulnerability of the web application). The term ?cross-site scripting' is also sometimes used in a broader sense referring to different types of attacks involving script injection into the client. HTML Code Injection and Cross-Site Scripting: http://www.owasp.org/documentation/topten/a4.html How To Prevent Cross-Site Scripting Security Issues: http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985 How To Review ASP Code for CSSI Vulnerability: http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119 The Cross-Site Scripting FAQ (XSS): http://www.cgisecurity.com/articles/xss-faq.shtml Sample methods for JS-Injection: http://www.websec.org/adv/js.html *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/ *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide. The company?s flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training. Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *DISCLAIMER:* The contents of this advisory are copyright (c) 2006 CORE Security Technologies and (c) 2006 Corelabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. $Id: verisign-advisory.txt,v 1.8 2006/03/20 22:29:39 iarce Exp $