Archive for October, 2012

Security Vulnerabilities in the OptiGuide Screen Reader

October 26, 2012

OptiGuide claims to be "the first screen reader to provide access to Safe Mode". That may be true, but it’s also a security risk.
In brief, they allow open access to their website, as well as install a root certificate that includes the private key that attackers can use to make a website look trusted.
For details, see below. Uninstalling the latest version of OptiGuide appears to remove its certificate, but when I installed an older one (I tested with 1.0.55) and uninstalled it, the
certificate was not removed. You can check in Certificates/Trusted Root Certification Authorities. Search for ACCESSIBLESOFT and remove it.

After installation of OptiGuide 1.0.57, I noticed it installed a self-signed certificate into my root certificate store. Looking at the certificate properties for the ACCESSIBLESOFT\Operator certificate, this line stood out:

You have a private key that corresponds to this certificate.

I’m not sure what this is used for or why it is needed.

I wasn’t able to export it via the gui, so I looked at what imported it. The certificate is contained in OptiGuide_TemporaryKey.pfx in the program’s folder.

The first problem I had to solve was the import password that pfx files have. Running strings on InstallCert.exe finds it quite easily. Once this was found, I used openssl to convert it to a .pem and examine the keys:

$openssl pkcs12 -in OptiGuide_TemporaryKey.pfx -out test.pem -nodes
Enter Import Password:
MAC verified OK
$grep BEGIN test.pem
-----BEGIN PRIVATE KEY-----
-----BEGIN CERTIFICATE-----

This certificate is valid until October 20, 2013. Because it contains the private key and can be used for client authentication, I can quite easily set up a server that will use this.
Once done, Internet explorer will consider this as valid. Firefox uses its own certificate store, which doesn’t have this certificate.

Moving on, I lookd at the network activity when running OptiGuide.
I saw an ftp connection to utechaccess.com, where it proceeded to get Optiguide/Customers.txt.
Looking further, the ftp leads to the webroot of the main OptiGuide website, which possibly could allow the replacement of the OptiGuide setup executable. Because of this, I cannot be sure that the setup file hasn’t been tampered with.

I reported this on October 18, and new versions have been released since then with these same vulnerabilities. I feel it necessary to warn the community about this program,
and hope that these problems can be fixed for the future. Once they are, I will update this post.