View Issue Details

IDProjectCategoryView StatusLast Update
0001272Main CAcert Websitecertificate issuingpublic2014-09-02 20:55
ReporterBenBE Assigned ToNEOatNHNG  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2014 Q2 
Target Version2014 Q2Fixed in Version2014 Q2 
Summary0001272: Arbitrary Code Execution via SQL injection on certain database fields
DescriptionWhen issuing certificates some fields are not properly escaped on renew and thus can be used to create a SQL injection.

This SQL injection could be used to manipulate the CRT filename field which is passed unchecked to the shell at some places.
Steps To ReproduceCreate certificate with Description like:
    ', crt_name = '; cat /etc/passwd

Renew the certificate
Additional InformationA proof of concept has been submitted to the Software Team.
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions

Relationships

related to 0001266 closedNEOatNHNG Second-Level SQL Injection in Certificate-related queries 

Activities

BenBE

2014-04-18 23:14

updater   ~0004742

Fix on Testserver

Eva

2014-04-18 23:32

updater   ~0004743

Last edited: 2014-04-19 00:13

View 5 revisions

Created client certificate with browser and comment field filled with ',
crt_name = '; cat /etc/passwd
Renewed certificate
-> everything seems normal, certificate looks normal, comment looks like it
should

Created server certificate with comment field filled with ', crt_name = '; cat
/etc/passwd
Renewed certificate
-> everything seems normal, certificate looks normal, comment looks like it
should

Created org server certificate with comment field filled with ', crt_name = ';
cat /etc/passwd
Renewed certificate
-> everything seems normal, certificate looks normal, comment looks like it
should

Tried to create org client certificate with said comment
-> error message: The challenge-response code of your certificate request did
not match. Can't continue with certificaterequest.

Wanted instead to double renew an org client certificate with said comment.
Renew was no problem, but after the renew the comment field was empty (as
before), so could not renew the comment a second time by this.

looks ok, maybe with exception of org clients, but as it is NOT possible to add
clients with said comment at all, the bug should not be possible to execute by
this
 => ok

MartinGummi

2014-04-18 23:32

updater   ~0004744

Last edited: 2014-04-19 00:16

View 4 revisions

Created client certificate with browser and comment field filled with ', crt_name = '; cat /etc/passwd
Renewed certificate
-> everything seems normal, certificate looks normal, comment looks like it should

Created server certificate with comment field filled with ', crt_name = '; cat /etc/passwd
Renewed certificate
-> everything seems normal, certificate looks normal, comment looks like it should


Tried to create org client certificate with said comment

Error:
The challenge-response code of your certificate request did not match. Can't continue with certificaterequest

After patch
Renewed certificate
everything seems normal, certificate looks normal, comment looks like it should


Created org server certificate with comment field filled with ', crt_name = '; cat /etc/passwd
Renewed certificate
-> everything seems normal, certificate looks normal, comment looks like it should

==> OK

Eva

2014-04-18 23:46

updater   ~0004745

Last edited: 2014-04-19 00:02

View 3 revisions

After change of patch:

Created client certificate with browser and comment field filled with ', crt_name = '; cat /etc/passwd
Renewed certificate
-> everything seems normal, certificate looks normal, comment looks like it should
-> ok

Re-Did the previous test again, works as above
-> ok

(I used different combinations of 2k, 4k RSA and different options of SHA, also switched between class 1 and class 3)

=> ok

NEOatNHNG

2014-04-19 01:28

administrator   ~0004746

Second review OK. Mail sent to critical admins.

wytze

2014-04-19 13:45

developer   ~0004747

The patch has been installed on the production server on April 19, 2014. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2014-04/msg00008.html

Issue History

Date Modified Username Field Change
2014-04-18 22:44 BenBE New Issue
2014-04-18 22:44 BenBE Assigned To => NEOatNHNG
2014-04-18 22:55 BenBE Source_changeset_attached => cacert-devel testserver-stable 1ea66e99
2014-04-18 22:55 BenBE Source_changeset_attached => cacert-devel testserver-stable 066a0223
2014-04-18 23:14 BenBE Note Added: 0004742
2014-04-18 23:14 BenBE Status new => needs review & testing
2014-04-18 23:15 BenBE Reviewed by => BenBE
2014-04-18 23:32 Eva Note Added: 0004743
2014-04-18 23:32 MartinGummi Note Added: 0004744
2014-04-18 23:33 MartinGummi Note Edited: 0004744 View Revisions
2014-04-18 23:34 Eva Note Edited: 0004743 View Revisions
2014-04-18 23:40 BenBE Source_changeset_attached => cacert-devel testserver-stable 42c0b5e4
2014-04-18 23:40 BenBE Source_changeset_attached => cacert-devel testserver-stable 39d62423
2014-04-18 23:46 Eva Note Added: 0004745
2014-04-18 23:53 Eva Note Edited: 0004745 View Revisions
2014-04-19 00:02 Eva Note Edited: 0004745 View Revisions
2014-04-19 00:09 MartinGummi Note Edited: 0004744 View Revisions
2014-04-19 00:11 MartinGummi Note Edited: 0004743 View Revisions
2014-04-19 00:12 MartinGummi Note Edited: 0004743 View Revisions
2014-04-19 00:13 MartinGummi Note Edited: 0004743 View Revisions
2014-04-19 00:16 MartinGummi Note Edited: 0004744 View Revisions
2014-04-19 00:23 BenBE Status needs review & testing => needs review
2014-04-19 01:28 NEOatNHNG Reviewed by BenBE => NEOatNHNG, BenBE
2014-04-19 01:28 NEOatNHNG Note Added: 0004746
2014-04-19 01:28 NEOatNHNG Status needs review => ready to deploy
2014-04-19 01:42 NEOatNHNG Relationship added related to 0001266
2014-04-19 13:45 wytze Note Added: 0004747
2014-04-19 13:45 wytze Status ready to deploy => solved?
2014-04-19 13:45 wytze Fixed in Version => 2014 Q2
2014-04-19 13:45 wytze Resolution open => fixed
2014-04-21 22:20 NEOatNHNG View Status private => public
2014-09-02 20:55 INOPIAE Status solved? => closed