Closed
Bug 504449
Opened 15 years ago
Closed 15 years ago
NSS SSL implementation vulnerable to MITM attack via cert with null char in CN
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(blocking1.9.1 -, status1.9.1 unaffected)
RESOLVED
DUPLICATE
of bug 480509
Tracking | Status | |
---|---|---|
blocking1.9.1 | --- | - |
status1.9.1 | --- | unaffected |
People
(Reporter: bsterne, Unassigned)
Details
(Whiteboard: [sg:dupe 480509])
This bug was reported to security@m.o by Moxie Marlinspike. From his email:
-----
The first [of two] allows for undetected MITM attacks against NSS:
1) ASN.1 has many different string types, but all of them are stored as some variation of PASCAL strings. Once NSS parses them, though, they are treated as standard C strings.
2) There are consequences to this, the most obvious being the way that NULL characters are treated. In ASN.1 a NULL character is just another character in your character string, but when NSS starts using the character strings, the NULL characters become imbued with special meaning (terminators).
3) Combined with the direction that CAs went, this resulted in some straight-forward attacks. For a while now, you've been able to issue a CSR with a CN of <whatever>.yourdomain.org and have your request be validated against the ownership information in the root domain. This means that I can easily get whateverthefuckiwant.thoughtcrime.org, as long as I am a contact for thoughtcrime.org. I can get whatever I want in the subdomain of the CN -- seriously anything -- including www.paypal.com\0.thoughtcrime.org
4) Once I get my certificate and hand it to NSS, NSS treats www.paypal.com\0.thoughtcrime.org as a C string, and that NULL character terminates it to www.paypal.com for all the string comparisons. So, obviously, this matches a CN check for paypal.
5) Most implementations screw this up, but NSS is actually the worst, because in the end I just need to shell out a little extra for a wildcard cert. *\0.thoughtcrime.org matches... everything. I can present this certificate for any connection that NSS makes, and it's accepted as valid.
Reporter | ||
Comment 1•15 years ago
|
||
I haven't confirmed this since it requires a valid cert but this is definitely sg:critical assuming it's valid.
Whiteboard: [sg:critical]
Comment 2•15 years ago
|
||
Fixed long ago. Fix already in FF 3.5.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•15 years ago
|
Whiteboard: [sg:critical] → [sg:dupe 480509]
Updated•15 years ago
|
blocking1.9.1: ? → -
status1.9.1:
--- → unaffected
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•