NULL Prefix attack against SSL certificates

I was show casing the SSLStrip tool in my office. Everybody was asking how it works. Security Researcher Moxie had released two tools SSLSniff and SSLStrip during Black Hat 2009. These tools were capable of doing MITM on SSL connection. They exploited a weakness in signing the certificates. SSL heavily rely on X509 certificate structure to prove authenticity.
For the SSL it is the 'common name field' of the X509 certificate that is used to identify authentic servers. For example, Paypal will used 'www.paypal.com' in the common name field.
The signing process heavily relies on the above convention. The Certificate Authorities will sign 'www.paypal.com', they don't care whether you are requesting for 'anything.paypal.com' or 'anything1.anything.paypal.com'- as long as you prove that you are paypal.com.
The Trick:
X509 certificates are commonly formatted using ASN.1 notation. ASN.1 supports many string types but all of them are represented as some variations of PASCAL. In PASCAL character string the NULL characters are treated as normal characters. They don't have any special meaning.
So NULL characters can be included into the common name field of X509 certificates. So a signing request like www.paypal.com\0.fakeorganization.com will be treated valid. The Certificate Authority will ignore prefix and sign the root domain fakeorganization.com.
Now the the thing is most contemporary SSL/TLS implementation treat the field in X509 as C strings. And in C '\0' (NULL) means end of the string. So www.paypal.com\0.fakeorganization.com and www.paypal.com will be treated as identical.
So the owner of the certificate for www.paypal.com\0.fakeorganization.com can successfully present his certificate to the connections intended for original www.paypal.com.
Here MITM happens on SSL. SSLSniff tool works at this theory.
You can sign your own certificates using the valid certificate you got from Certificate Authority.
Actually there is field in X509 certificates which needs to be set FALSE in order to restrict domain owner to act as a Certificate Authority.
Most CA's didn't explicitly set basicConstraints:
CA=FALSE
A lot of web browsers and other SSL implementations didn't bother to check it, whether the field was there or not.
Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other domain.
The blueanarchy.org can create a valid certificate as paypal.com and use it.
Reference:http://www.thoughtcrime.org/about.html

Comments

Anonymous said…
is this still vulnerable in our browsers?
Nilesh Kumar said…
As of now ,I am not aware of any browser specific vulnerabilities but I have tested it on IE6 and FF 3.5

Popular posts from this blog

SQL Injection in search field

Nipper Download