[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

ArkanoiD ark at eltex.net
Wed Sep 7 06:17:39 PDT 2011 

On Wed, Sep 07, 2011 at 02:38:57PM +0200, Jacob Appelbaum wrote:
> That is an interesting project!
> 
> I see that you are really trying and I respect that a great deal. I
> simply don't think that this is a safe path to take. The project you
> linked reminds me of a free software version of say, a bluecoat
> proxy/filter system. I don't think that we should design end user
> software to fail nicely for proxy/filters as the user will never be able
> to tell the difference between you and another local attacker.

Unlike for a local attacker, end user is expected to import my root to use
the system.

Here is old whitepaper about problems I address with this software:

http://sourceforge.net/projects/openfwtk/files/benevolent-ssl-mitm.pdf/download

> 
> I looked at the SSL stuff just to see what you're doing and I'm not sure
> that it disproves my main concern.
> 
> Here's an example - please correct me if I'm mistaken. I've never seen
> your project before and so I'm just reading through it to try to
> understand it.
> 
> What happens when a remote peer certificate is valid and also gets
> passed to pathfinder_verify(cert, buf) from
> openfwtk-2.1pre10/libssl/sslfunc.c at the momenet?
> 
> It looks like this happens:
> 
>  117 ??·size = i2d_X509(cert, NULL);
>  118 ??·iend = keybuf = malloc(size);
>  119 ??·certdata_str = malloc(size * 2 + 1);
>  120 ??·i2d_X509(cert, &iend);
>  121 ??·cp = keybuf;
> 
> I'm not convinced that this is safe at all.

Cannot believe my eyes, I just copypasted this function from pathfinder
examples. You are obviously right, I should xmalloc instead of malloc
and check the return values. It slipped somehow from my attention, will fix.

> 
> In fact, I'd bet that if i2d_X509 returns negative as it does in the
> event it has an error, you'll have *that* value cast into size. It will
> be cast from signed to unsigned as size is a size_t. Malloc may not take
> kindly to the result of such a cast. It may return NULL or a very large
> chuck of memory. In Linux this won't matter until you use it. As a
> result, in the first case it may not be a big deal. However, in the
> second malloc it is possible that (size * 2 + 1) will wrap and become a
> much smaller buffer than is required for later use in the function.
> 
> That makes this look a lot less safe:
> 
>  122 ??·certdata_str_i = certdata_str;
>  123 ??·while (cp < iend) {
>  124 ??·??·unsigned char ch = *cp++;
>  125 ??·??·*certdata_str_i++ = hex[( ch >> 4 ) & 0xf];
>  126 ??·??·*certdata_str_i++ = hex[ch & 0xf];
>  127 ??·}
>  128 ??·*certdata_str_i = 0;
> 
> If size is NULL to start, I think setting *certdata_str_i = 0 is
> probably not safe. It should seg fault on the spot. So perhaps that is
> safe? I don't think so but it's not arbitrary code execution. If it
> doesn't, I wonder what pathfinder_dbus does if it gets a NULL pointer?

Reports an error, there is a check in place.

> If the result of the malloc for certdata_str after the (size * 2 + 1) is
> not actually twice the size plus one of keybuf, I'd guess that all bets
> are off. The program seems like it will write hex values into
> *certdata_str_i++ all the way past the real length for certdata_str_i.
> 
> It may also be the case that a really large value will be written into
> certdata_str_i - What happens if a giant string is passed to
> pathfinder_dbus?

It gets dumped to dbus. First impression is that nothing nasty happens there, but I will definitely add more sanity checks.

> 
> It seems most likely that if the cert will has an error parsing the data
> will simply be incorrect. Perhaps no one will ever reach this code path?
> 
> ...
> 
> I guess that a lot of MITM code will have similar issues. I'm sure that
> it *can* be done correctly but I'm not convinced it *should* be done at all.
> 
> I certainly don't think browsers should weaken their security promises
> to enable this kind of tampering as it also directly creates a few
> different kinds of risk.
> 
> There's risk from the MITM observer and there is risk *for* the MITM
> observer from vulnerabilities such as the above bugs. The incentive for
> the attacker will shift to compromising the proxy systems as they will
> become more valuable than all the CAs combined for a specific target.
> 
> I certainly want my browser to fail closed if it's passing through such
> a system.

Proxy systems are generally simple enough to resolve problems like that.
Shame on me I missed such an obvious thing, but it is still unclear if it really imposes new security risk -- this framework is designed to "deny on fail".

> 
> Why do we want to create this new risk as part of the security solution?
> I don't think we do. We already have enough risk as it is.
> 
> > 
> >>
> >>>> I have requested cert pinning in Chrome because if the wrong certs are
> >>>> presented, I want it to fail closed. I want users to avoid being MITM'ed
> >>>> by attackers regardless of their intentions or corporate environmental
> >>>> needs.
> >>>
> >>> Ah, then losing all network traffic control (it means just that: poke one hole and one is more than enough) is good for security. "Great".
> >>>
> >>
> >> I think you're already doomed. Do you suppose that you are able to
> >> detect all the covert channels in existence? Lots of covert channels
> >> work through such a proxy system. That's a laugh and a half to say the
> >> least.
> > 
> > Ah, then let's give up and open everything, set firewalls to pass all and so on. Great.
> > 
> 
> That's not what I'm saying. As I said above - I think what you're doing
> is interesting and you've clearly put a lot of effort into trying to
> secure the local network in the current situation.
> 
> Still, I'm saying something different: I'm saying lets be honest about
> where we stand and try to change the game entirely. The game we're
> currently playing won't be won in a way that leads to security for the
> end user as a general reality.
> 
> If you want to MITM everyone on your corporate network, I say go for it.
> I don't think it's reasonable to ask browsers to cripple their software
> to fall prey to such SSL/TLS MITM attacks. CAA/DANE/DNSSEC and other
> systems will make this more and more the normal behaviour and it *must*
> fail closed in the general case. If you want to block all of that
> security technology, I'd say that you're basically not providing
> internet access any more and you'll need to deploy systems that meet
> your local filternet rules.
> 
> The game needs decentralisation in the trust root badly and my
> decentralised trust root is almost certainly not my local network.
> 
> All the best,
> Jacob
> 
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com 
> 
>

More information about the Observatory mailing list