Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Martin von Gagern <Martin.vGagern <at> gmx.net>
Subject: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Newsgroups: gmane.comp.encryption.gpg.gnutls.devel
Date: Monday 10th November 2008 11:00:10 UTC (over 8 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello GNU TLS developers, and other interested parties,

This is an analysis fo the GNU TLS vulnerability recently published as
GNUTLS-SA-2008-3 and CVE-2008-4989.

I found a bug in GNU TLS which breaks X.509 certificate chain
verification. This allows a man in the middle to assume any name and
trick GNU TLS clients into trusting that name.

This could be used to imitate a server using a specially crafted server
certificate chain together with DNS spoofing or some way of intercepting
packets along their route. It could also be used to imitate clients
authenticating to some service using client certificates, again using
specially crafted certificate chains.


CAUSE OF THE VULNERABILITY

The bug is in function _gnutls_x509_verify_certificate in x509/verify.c.
1. The last element of the certificate list is verified against the list
   of trusted certificates.
2. The last element is removed from the list if it is self signed.
3. The chain is checked to ensure that every certificate is signed by
   the one following it, with the exception of the last element.

By appending an arbitrary self-signed trusted certificate to the list,
the penultimate element is implicitely trusted, without being checked
against the list of trusted certificates.

As a solution to fix the issue, I suggest dropping self signed certs
before validating any certificate against the list of trusted
certificates. The attached patch should apply to older versions of GNU
TLS as well, so distributions can use it to fix their released versions.
An alternative might be to not drop self-signed certificates at all, as
it doesn't seem necessary. This should be discussed by the developers.


STEPS TO REPRODUCE IN A MODEL SETUP

To reproduce, add "server" as an alias for localhost to your /etc/hosts.
Run the following command, using the files attached:

$ gnutls-serv --http -p 4433 -a \
              --x509keyfile server.key --x509certfile chain.pem

Then connect to this server using the GNU TLS client:

$ gnutls-cli gnutls-cli --x509cafile thawte.pem -p 4433 server

 - Certificate[0] info:
 # The hostname in the certificate matches 'server'.
 # valid since: Mon Nov  3 13:05:04 CET 2008
 # expires at: Wed Dec  3 13:05:04 CET 2008
 # fingerprint: 2A:8E:2F:D6:73:A8:74:F7:D7:AE:E9:FC:C5:31:3D:00
 # Subject's DN: C=DE,O=GNU TLS Attack,CN=server
 # Issuer's DN: C=DE,O=GNU TLS Attack,CN=intermediate

 - Certificate[1] info:
 # valid since: Mon Nov  3 13:04:45 CET 2008
 # expires at: Wed Dec  3 13:04:45 CET 2008
 # fingerprint: 3C:45:D6:7E:04:ED:BD:77:F1:AA:F8:17:D4:2E:14:E5
 # Subject's DN: C=DE,O=GNU TLS Attack,CN=intermediate
 # Issuer's DN: C=DE,O=GNU TLS Attack,CN=root

 - Certificate[2] info:
 # valid since: Fri Nov 17 01:00:00 CET 2006
 # expires at: Thu Jul 17 01:59:59 CEST 2036
 # fingerprint: 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
 # Subject's DN: C=US,O=thawte\, Inc.,
                 OU=Certification Services Division,
                 OU=(c) 2006 thawte\, Inc. - For authorized use only,
                 CN=thawte Primary Root CA
 # Issuer's DN: C=US,O=thawte\, Inc.,
                OU=Certification Services Division,
                OU=(c) 2006 thawte\, Inc. - For authorized use only,
                CN=thawte Primary Root CA


- - Peer's certificate is trusted
- - Version: TLS1.1
- - Key Exchange: DHE-RSA
- - Cipher: AES-128-CBC
- - MAC: SHA1
- - Compression: NULL
- - Handshake was completed

As you can see, there is no relation at all between Certificate[1] and
Certificate[2]. By attaching the thawte root certificate, which is
commonly trusted, I could get my own server authenticated as "server",
without ever transmitting the bogus root of its chain.

I used the http mode of gnutls-serv above so you can check browsers and
other http-based tools against this server as well, to see if they are
vulnerable.


Greetings,
 Martin von Gagern
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkYFDkACgkQRhp6o4m9dFvvGwCePvDi+wALLEjthVH1LXgCZqUk
3yIAoIsEar/BIVagS5ZA6r9kFtb5zsow
=sMlK
-----END PGP SIGNATURE-----
 
CD: 3ms