Public bug reported:
Hostname verification is an important step when verifying X509
certificates, however, people tend to miss the step or to misunderstand
the APIs when using SSL/TLS, which might cause severe man in the middle
attack and break the entire TLS mechanism.
We believe that xfce4-mailwatch-plugin didn't check whether the hostname
matches the name in the SSL certificate and the expired date of the
certificate.
We found the vulnerability by static analysis, typically, a process of
verification involves calling a chain of API, and we can deduce whether
the communication process is vulnerable by detecting whether the
function call process matches a certain model. For example, when using
OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null),
we should verify the certificate by calling the function
SSL_get_peer_certificate() to get the certificate. If the source code
does not match this model, then we can deduce this code is vulnerable.
What’ more , Gnutls is the same as Openssl.
The static analysis result:
/xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatch-net-conn.c
xfce_mailwatch_net_conn_make_secure()
We provide this result to help developers to locate the problem faster.
To verify the result:
一. Hostname verification:
1.configure xface4-mailwatch-plugin:
IMAP(SSL) :imap.163.com
Username : 598105904
Password : <Your password>
Advanced: Use SSL/TLS on alternate port
2. change /etc/hosts in order to simulate the DNS hijack
113.108.16.116 imap.163.com
(113.108.16.116 is QQ’s imap server)
3. run xfce4-mailwatch-plugin to fetch the mail
4. result : succeed!!!
The fetch succeeded, indicating xface4-mailwatch-plugin didn't check the
hostname against the signee of the certificate.
二.Also for expired time check,
1. change the system time to 2200 to guarantee the certificate to be expired.
2. run xfce4-mailwatch-plugin to fetch the mail.
3. result:succeed!!
The fetch succeeded again and no warning was given, indicating xface4
-mailwatch-plugin didn't check whether the certificate expired or not.
I am running xfce4-mailwatch-plugin 1.2.0-1 in ubuntu 14.04 LTS.
(PS: I have saved the wireshark ssl connecting packages and upload these files.)
for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
** Affects: xfce4-mailwatch-plugin (Ubuntu)
Importance: Undecided
Status: New
** Tags: ssl
** Attachment added: "wireshark ssl conneting packages"
https://bugs.launchpad.net/bugs/1376601/+attachment/4222132/+files/xfce4-mailwatch-plugin.zip
** Information type changed from Private Security to Public
** Description changed:
Hostname verification is an important step when verifying X509
certificates, however, people tend to miss the step or to misunderstand
the APIs when using SSL/TLS, which might cause severe man in the middle
attack and break the entire TLS mechanism.
We believe that xfce4-mailwatch-plugin didn't check whether the hostname
matches the name in the SSL certificate and the expired date of the
certificate.
We found the vulnerability by static analysis, typically, a process of
verification involves calling a chain of API, and we can deduce whether
the communication process is vulnerable by detecting whether the
function call process matches a certain model. For example, when using
OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null),
we should verify the certificate by calling the function
SSL_get_peer_certificate() to get the certificate. If the source code
does not match this model, then we can deduce this code is vulnerable.
What’ more , Gnutls is the same as Openssl.
The static analysis result:
/xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatch-net-conn.c
xfce_mailwatch_net_conn_make_secure()
We provide this result to help developers to locate the problem faster.
To verify the result:
一. Hostname verification:
1.configure xface4-mailwatch-plugin:
IMAP(SSL) :imap.163.com
Username : 598105904
Password : <Your password>
Advanced: Use SSL/TLS on alternate port
2. change /etc/hosts in order to simulate the DNS hijack
- 113.108.16.116 imap.163.com
- (113.108.16.116 is QQ’s imap server)
+ 113.108.16.116 imap.163.com
+ (113.108.16.116 is QQ’s imap server)
3. run xfce4-mailwatch-plugin to fetch the mail
4. result : succeed!!!
The fetch succeeded, indicating xface4-mailwatch-plugin didn't check the
hostname against the signee of the certificate.
二.Also for expired time check,
1. change the system time to 2200 to guarantee the certificate to be expired.
2. run xfce4-mailwatch-plugin to fetch the mail.
-
3. result:succeed!!
The fetch succeeded again and no warning was given, indicating xface4
-mailwatch-plugin didn't check whether the certificate expired or not.
I am running xfce4-mailwatch-plugin 1.2.0-1 in ubuntu 14.04 LTS.
- PS: I have saved the wireshark ssl connecting packages and upload these files.
+ (PS: I have saved the wireshark ssl connecting packages and upload these
files.)
for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1376601
Title:
X509 certificate verification problem
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xfce4-mailwatch-plugin/+bug/1376601/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
