SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >
=======================================================================
title: Client-side remote arbitrary file upload
product: SecCommerce SecSigner Java Applet
vulnerable version: 3.5.0 < build 2011/11/12
fixed version: 3.5.0 build
4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
created 2011/11/25
impact: critical
homepage: https://www.seccommerce.de/en/products-en/secsigner.html
found: 2011/10/21
by: E. Demeter / SEC Consult Vulnerability Lab
J. Greil / SEC Consult Vulnerability Lab
http://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Qualified and advances electronic signatures may be created and
validated using SecSigner. Signing documents electronically allows for
workflow scenarios and contracting avoiding any media conversion.
SecSigner 3.5.0 is currently available on our web site.
For this version, a manufacturer's declaration according to German
signature law is available at the corresponding regulatory authority.
The parent version 2.0.0 has been certified by the German Federal
Office for Information Security (BSI)according to ITSEC E2/high."
https://www.seccommerce.de/en/products-en/secsigner.html
Vulnerability overview/description:
-----------------------------------
The signed Java applet SecSigner uses the file "secsigner.properties" to
configure certain settings of the applet. Amongst others, it is
possible to set the variable "seccommerce.resource", which defines a
file that is loaded during the execution of the applet to supply
additional functionality.
If the setting "seccommerce.resource.localcopy" is set to "on", this
file is saved in the defined local temporary folder
"%user%\.seccommerce" on the client. It is however possible to define
any different relative path (path traversal) for that file. The only
requirement that is needed is that the same path also exists on the
webserver the applet is executed from. Any arbitrary file can be chosen
to be used for the "seccommerce.resource" file.
An attacker is able to upload arbitrary files to an arbitrary path on
the victim's computer. E.g., if a malicious executable is uploaded to
the Windows "startup" folder, it is being executed at the next reboot.
This vulnerability is only a sample, no further investigations
regarding the security quality of the product have been performed.
Proof of concept:
-----------------
No exploit code will be published.
Vulnerable / tested versions:
-----------------------------
SecSigner 3.5.0
Vendor contact timeline:
------------------------
2011-11-10: Contacting vendor through info@xxxxxxxxxxxxxx, asking for
security contact
2011-11-10/2011-11-11: Exchanging emails & encryption key, sending
security advisory
2011-11-11: Explaining the vulnerability to the vendor, sending details
that it is exploitable
2011-11-12: Vendor releases first fixed version
2011-11-14: Contacting CERT
2011-11-12/25: Vendor releases newer versions
2011-12-19: Coordinated public release of advisory
Solution:
---------
Apply the fix of the vendor and only use the latest version:
Build 4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
Version 3.5.0 created 2011/11/25
https://www.seccommerce.de/en/products-en/secsigner.html
Workaround:
-----------
Only use the fixed version and invalidate the old Java applet
certificate!
Remove the affected trusted certificate of SecSigner/SecCommerce from
the Java control panel (jcontrol) from all clients and add it to the
Oracle Java blacklist:
Java\jre6\lib\security\blacklist
Don't fully trust signed Java applets (in general).
Advisory URL:
-------------
http://www.sec-consult.com/en/advisories.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
http://www.sec-consult.com
EOF E. Demeter, J. Greil / @2011
