Net Tools PKI server

Impact

Several vulnerabilities in Net Tools PKI server, if present, could allow a remote attacker to execute arbitrary code or to view and download any file on the server.

Background

NAI Net Tools PKI Server is a full-featured PKI server for Windows NT systems. It runs a secure web server on ports 443, 444, and 445. strong.exe is the executable file which services https requests on these three ports.

The Problem

There are three separate problems in the strong.exe program that comes with Net Tools PKI Server 1.0 prior to Hotfix 3.

Firstly, a buffer overflow in strong.exe could allow a remote attacker to execute arbitrary commands with SYSTEM privileges by supplying a very long, specially crafted URL.

Secondly, an attacker could view any file on the system using the ../ string in the pathname to escape from the default directory.

Finally, a format string vulnerability in strong.exe could allow a remote user to execute arbitrary commands on the server with SYSTEM privileges by supplying a specially crafted URL with the .xuda extension.

Resolution

Apply Hotfix 3 for Net Tools PKI Server 1.0. If Hotfix 3 or higher has already been applied, then the system does not have these vulnerabilities.

Versions higher than 1.0 are not affected by these vulnerabilities.

Where can I read more about this?

These vulnerabilities were researched by CORE-SDI and posted to Bugtraq.