CHT Security Financial Security Assessment Team Discovered Insecure API in Well-Known Domestic Cross-Platform Digital Signature Plugin

Vulnerabilities of ServiSign Components

Abstract of Software

ServiSign is a system developed by Changingtec in Taiwan. It provides cross-platform solutions on digital signature and verification.

The official introduction of ServiSign: https://www.changingtec.com/EN/servisign.html

Summary

Vulnerabilities List

1. [CVE-2020-3925] Remote Code Execution via LoadLibrary

2. [CVE-2020-3926] Arbitrary File Read

3. [CVE-2020-3927] Arbitrary File Delete


Details

1. Remote Code Execution via LoadLibrary

Description

There is an insecure function call  LoadLibraryA  in the DLL file of ServiSign. Since there is no filter or restriction of parameter to read DLL files in high-privilege directory, attackers can control the path parameter to execute a malicious DLL.

Impact

Without any path filter or access control at this function, attackers can execute the malicious DLL files on the computer through these weak functions without any authentication, by injecting malicious Javascript code by XSS payloads in phishing websites.

Known Affected Software

  • ServiSign for Windows ver. <= 1.0.19.0617


2. Arbitrary File Read

Description

Also, in the called DLL file in the ServiSign system, there are insecure APIs in several versions. Attacker can assign any path parameter to read the contents of files on the user's computer, through the API function without any authentication.

Impact

Without any path filter or access control at this function, attacker can deploy attack code in phishing or advertisement websites. And if user browses these websites in an environment with ServiSign installed, it can read the contents of the specific file path in the webpage including attack code, and upload to the attacker without authentication.

Known Affected Software

  • ServiSign for Windows ver. <= 1.0.19.0617


3. Arbitrary File Delete

Description

In the same DLL file, it also contains an insecure API associated with reading file. It allows attackers to delete any file without authentication.

Impact

Without any path filter or access control at this function, attacker can deploy attack code in phishing or advertisement websites. And if a user browses these websites in an environment with ServiSign installed, it can delete the file of the specific path in the webpage include attack code without authentication.

Known Affected Software

  • ServiSign for Windows ver. <= 1.0.19.0617


Credits

  • Weber Tsai (CHT Security)
  • Keniver Wang (CHT Security)