Closed Bug 504449 Opened 15 years ago Closed 15 years ago

NSS SSL implementation vulnerable to MITM attack via cert with null char in CN

Categories

(NSS :: Libraries, defect)

defect
Not set
critical

Tracking

(blocking1.9.1 -, status1.9.1 unaffected)

RESOLVED DUPLICATE of bug 480509
Tracking Status
blocking1.9.1 --- -
status1.9.1 --- unaffected

People

(Reporter: bsterne, Unassigned)

Details

(Whiteboard: [sg:dupe 480509])

This bug was reported to security@m.o by Moxie Marlinspike.  From his email:

-----

The first [of two] allows for undetected MITM attacks against NSS:

1) ASN.1 has many different string types, but all of them are stored as some variation of PASCAL strings.  Once NSS parses them, though, they are treated as standard C strings.

2) There are consequences to this, the most obvious being the way that NULL characters are treated.  In ASN.1 a NULL character is just another character in your character string, but when NSS starts using the character strings, the NULL characters become imbued with special meaning (terminators).

3) Combined with the direction that CAs went, this resulted in some straight-forward attacks.  For a while now, you've been able to issue a CSR with a CN of <whatever>.yourdomain.org and have your request be validated against the ownership information in the root domain.  This means that I can easily get whateverthefuckiwant.thoughtcrime.org, as long as I am a contact for thoughtcrime.org.  I can get whatever I want in the subdomain of the CN -- seriously anything -- including www.paypal.com\0.thoughtcrime.org

4) Once I get my certificate and hand it to NSS, NSS treats www.paypal.com\0.thoughtcrime.org as a C string, and that NULL character terminates it to www.paypal.com for all the string comparisons.  So, obviously, this matches a CN check for paypal.

5) Most implementations screw this up, but NSS is actually the worst, because in the end I just need to shell out a little extra for a wildcard cert.  *\0.thoughtcrime.org matches... everything.  I can present this certificate for any connection that NSS makes, and it's accepted as valid.
I haven't confirmed this since it requires a valid cert but this is definitely sg:critical assuming it's valid.
Whiteboard: [sg:critical]
Fixed long ago.  Fix already in FF 3.5.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical] → [sg:dupe 480509]
blocking1.9.1: ? → -
Group: core-security
You need to log in before you can comment on or make changes to this bug.