Public bug reported:
Hostname verification is an important step when verifying X509
certificates, however, people tend to miss the step when using SSL/TLS,
which might cause severe man in the middle attack and break the entire
TLS mechanism.
We believe that pavuk didn't check whether the hostname matches the name
in the ssl certificate and the expired date of the certificate.
We found the vulnerability by static analysis, typically, a process of
verfication involves calling a chain of API, and we can deduce whether the
communication process is vulnerable by detecting whether the process satisfies
a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File
We provide this result to help developers to locate the problem faster.
This is the result for pavuk:
[PDG]my_ssl_do_connect
[Found]SSL_connect()
[HASH] 884435222 [LineNo]@ 665[Kind]call-site[Char] SSL_connect()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/pavuk/pavuk-0.9.35/src/myssl_openssl.c
[INFO] API SSL_new() Found! --> [HASH] 3400266686 [LineNo]@
654[Kind]call-site[Char] SSL_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/pavuk/pavuk-0.9.35/src/myssl_openssl.c
[INFO] API SSL_CTX_new() Found! --> [HASH] 2718779866 [LineNo]@
564[Kind]call-site[Char] SSL_CTX_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/pavuk/pavuk-0.9.35/src/myssl_openssl.c
[INFO] API SSLv23_client_method() Found! --> [HASH] 2509471869
[LineNo]@ 560[Kind]call-site[Char] SSLv23_client_method()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/pavuk/pavuk-0.9.35/src/myssl_openssl.c
[INFO] API SSL_CTX_set_verify() Found! --> [HASH] 241425030 [LineNo]@
593[Kind]call-site[Char] SSL_CTX_set_verify()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/pavuk/pavuk-0.9.35/src/myssl_openssl.c
[Warning] No SSL_get_peer_certificate() && SSL_get_verify_result() APIs
found! Potentially vulnerable!!!
To verify the result:
1. put line "192.30.252.130 fake.github.com" in /etc/hosts(192.30.252.130 is
the ip address for github)
2. run "pavuk https://fake.github.com";
The fetch succeeded, indicating mailfilter didn't check the hostname
against the signee of the certificate.
Also for expired time check,
1. change the system time to 2200 to guarantee the certificate to be expired.
2. run pavuk https://www.github.com
The fetch succeeded again and no warning was given, indicating pavuk
didn't check whether the certificate expired or not.
I am running pavuk 0.9.35 in ubuntu 14.04 LTS.
for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
** Affects: pavuk (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1374724
Title:
X509 certificate verification problem
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pavuk/+bug/1374724/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
