SEC Consult SA-20111219-0 :: Client-side remote arbitrary file- upload in SecCommerce SecSigner Java Applet

From: SEC Consult Vulnerability Lab <>
To: bugtraq <>,
Subject: SEC Consult SA-20111219-0 :: Client-side remote arbitrary file- upload in SecCommerce SecSigner Java Applet

SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >
              title: Client-side remote arbitrary file upload
            product: SecCommerce SecSigner Java Applet 
 vulnerable version: 3.5.0 < build 2011/11/12
      fixed version: 3.5.0 build
                     created 2011/11/25
             impact: critical
         found: 2011/10/21
                 by: E. Demeter / SEC Consult Vulnerability Lab
                     J. Greil / SEC Consult Vulnerability Lab

Vendor description:
"Qualified and advances electronic signatures may be created and
validated using SecSigner. Signing documents electronically allows for
workflow scenarios and contracting avoiding any media conversion.
SecSigner 3.5.0 is currently available on our web site. 

For this version, a manufacturer's declaration according to German
signature law is available at the corresponding regulatory authority.
The parent version 2.0.0 has been certified by the German Federal
Office for Information Security (BSI)according to ITSEC E2/high."

Vulnerability overview/description:
The signed Java applet SecSigner uses the file "" to
configure certain settings of the applet. Amongst others, it is
possible to set the variable "seccommerce.resource", which defines a
file that is loaded during the execution of the applet to supply
additional functionality.

If the setting "seccommerce.resource.localcopy" is set to "on", this
file is saved in the defined local temporary folder
"%user%\.seccommerce" on the client. It is however possible to define
any different relative path (path traversal) for that file. The only
requirement that is needed is that the same path also exists on the
webserver the applet is executed from. Any arbitrary file can be chosen
to be used for the "seccommerce.resource" file.

An attacker is able to upload arbitrary files to an arbitrary path on
the victim's computer. E.g., if a malicious executable is uploaded to
the Windows "startup" folder, it is being executed at the next reboot.

This vulnerability is only a sample, no further investigations
regarding the security quality of the product have been performed.

Proof of concept:
No exploit code will be published.

Vulnerable / tested versions:
SecSigner 3.5.0

Vendor contact timeline:
2011-11-10: Contacting vendor through, asking for
            security contact
2011-11-10/2011-11-11: Exchanging emails & encryption key, sending
            security advisory
2011-11-11: Explaining the vulnerability to the vendor, sending details
            that it is exploitable
2011-11-12: Vendor releases first fixed version
2011-11-14: Contacting CERT
2011-11-12/25: Vendor releases newer versions
2011-12-19: Coordinated public release of advisory

Apply the fix of the vendor and only use the latest version:

Build 4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D
Version 3.5.0 created 2011/11/25


Only use the fixed version and invalidate the old Java applet

Remove the affected trusted certificate of SecSigner/SecCommerce from
the Java control panel (jcontrol) from all clients and add it to the
Oracle Java blacklist:

Don't fully trust signed Java applets (in general).

Advisory URL:

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

EOF E. Demeter, J. Greil / @2011

Copyright © 1995-2021 All rights reserved.