CHT Security Financial Security Assessment Team Discovered Insecure API in Well-Known Domestic Cross-Platform Digital Signature Plugin
Vulnerabilities of ServiSign Components
Abstract of Software
ServiSign is a system developed by Changingtec in Taiwan. It provides cross-platform solutions on digital signature and verification.
The official introduction of ServiSign: https://www.changingtec.com/EN/servisign.html
Summary
Vulnerabilities List
1. [CVE-2020-3925] Remote Code Execution via LoadLibrary
2. [CVE-2020-3926] Arbitrary File Read
3. [CVE-2020-3927] Arbitrary File Delete
Details
1. Remote Code Execution via LoadLibrary
Description
There is an insecure function call LoadLibraryA in the DLL file of ServiSign. Since there is no filter or restriction of parameter to read DLL files in high-privilege directory, attackers can control the path parameter to execute a malicious DLL.
Impact
Without any path filter or access control at this function, attackers can execute the malicious DLL files on the computer through these weak functions without any authentication, by injecting malicious Javascript code by XSS payloads in phishing websites.
Known Affected Software
- ServiSign for Windows ver. <= 1.0.19.0617
2. Arbitrary File Read
Description
Also, in the called DLL file in the ServiSign system, there are insecure APIs in several versions. Attacker can assign any path parameter to read the contents of files on the user's computer, through the API function without any authentication.
Impact
Without any path filter or access control at this function, attacker can deploy attack code in phishing or advertisement websites. And if user browses these websites in an environment with ServiSign installed, it can read the contents of the specific file path in the webpage including attack code, and upload to the attacker without authentication.
Known Affected Software
- ServiSign for Windows ver. <= 1.0.19.0617
3. Arbitrary File Delete
Description
In the same DLL file, it also contains an insecure API associated with reading file. It allows attackers to delete any file without authentication.
Impact
Without any path filter or access control at this function, attacker can deploy attack code in phishing or advertisement websites. And if a user browses these websites in an environment with ServiSign installed, it can delete the file of the specific path in the webpage include attack code without authentication.
Known Affected Software
- ServiSign for Windows ver. <= 1.0.19.0617
Credits
- Weber Tsai (CHT Security)
- Keniver Wang (CHT Security)