[LWN Logo]

Date:         Fri, 26 May 2000 09:51:24 EDT
From: Kevin Fu <fubob@MIT.EDU>
Subject:      new vulnerability in Netscape effectively disables SSL server auth
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

Introduction
============

This vulnerability defeats SSL server authentication in Netscape 4.73
and earlier versions.  This is a new vulnerability unrelated to CERT
advisory 2000-5.  However, it has a similar devastating effect:
destroying SSL server authentication.  Under certain conditions, users
can no longer trust the authenticity of SSL server certificates in
Netscape.

This new vulnerability makes Netscape's SSL implementation as insecure
as DNS.  If you are victimized by this attack, then you may
unknowingly divulge private information such as credit card numbers,
personal data, passwords to online financial services, or other
sensitive information to an adversary masquerading as what you think
is a trusted SSL server.

Reported to Netscape: May 15, 2000
Reported to CERT:     May 17, 2000
Publicly announced:   May 26, 2000


Problem
=======

Within one Netscape session, if a user clicks on "continue" in
response to a "hostname does not match name in certificate," then that
certificate is incorrectly validated for future use in the Netscape
session, REGARDLESS of the hostname or IP address of other servers
that use the certificate.


Exploit
=======

My web server has a certificate signed by a trusted certificate
authority.  For the purposes of this exploit, the example web servers
below share the same certificate and private key.

Official name:  snafu.mit.edu
Host address:   18.152.0.102

Official name:  snafu.fooworld.org
Host address:   18.152.0.102

Official name:  www.nscl.org
Host address:   18.152.0.131


1. Play the part of the innocent user.  Visit https://snafu.mit.edu/
with any version on Netscape (minus the Personal Security Manager).
When the dialog warning appears, you click continue because you do not
intend to give private information to this web server.  You just want
to access the page with confidentiality enabled, whether or not the
server is authentic.  Note that you have asked to accept this
certificate for this hostname, snafu.mit.edu, even though the
certificate belongs to snafu.fooworld.org.

2. Now play the part of the adversary.  Simulate DNS poisoning.  Add
an entry to /etc/hosts (UNIX), c:\windows\hosts.sam (Windows98), or
c:\winnt\system32\drivers\etc\hosts (Windows NT) that reads:

	www.the-site-you-want-to-spoof.com 18.152.0.131

This will redirect your www.the-site-you-want-to-spoof.com requests to
another server, www.nscl.org.  The www.nscl.org server happens to use
the same certificate as snafu.mit.edu.

2. Schach.  Time to switch back to playing the innocent user.  Visit
https://www.the-site-you-want-to-spoof.com/.  If your browser allows
you to visit this site without a warning, you have been duped into
believing you are talking to a trusted SSL web server.


Analysis
========

If the ILOVEYOU virus has taught us anything, it's taught us that the
general user population can be easily fooled by seemingly innocent
requests.  This vulnerability is a prime example.  By following a link
to an SSL server that has a certificate with an incorrect hostname,
all future SSL connections in the Netscape session are made no more
secure than DNS.

It seems that the "Certificate Name Check" warning will mark a
certificate as valid for any hostname or IP address in the future.  In
this way, if an adversary tricks a user into accepting an invalid
certificate at a seemingly benign site, the user can then be tricked
if he/she ever visits a malicious site using the same certificate.  A
benign "continue" click on https://snafu.mit.edu/ might end up taking
away server authentication from visiting
https://www.a-site-that-you-give-private-info.com/ that has poisoned
DNS.  Note, I have only tested this with server certificates signed by
a certificate authority trusted by Netscape.  This attack may be less
powerful if the malicious server certificate is merely self-signed.

Furthermore, the security community has many examples showing that DNS
is not secure at all.  For instance, a teenager recently defaced the
RSA.COM site by an attack against a DNS server.  It should be trivial
to attack targeted individuals and not difficult to attack general
users at large.

Here are some imagined but unimplemented ways that might fool a user
into accepting an invalid certificate:

* Javascript/Java which references an HTTPS URL.
* Users just clicks.
* Hide the warning window with a pop-up window.
* Email with embedded HTTPS.
* Embed HTTPS images in a web page.
* VBS ILOVEYOU variant virus attachment that appends to hosts.sam and
 adds certificate to browser's certificate database.


Here are some ways one might affect DNS:

* Add a fake DNS entry for the target server in a compromised DNS server.
* Respond to DNS requests since UDP responses are easily forged.
* Modify /etc/hosts via a known root vulnerability on a UNIX machine.
  Or on Windows, append to c:\windows\hosts.sam or on NT
  c:\winnt\system32\drivers\etc\hosts


Tested Systems
==============

Verified as vulnerable:
Linux      Netscape 4.73
Windows 98 Netscape 4.73
Macintosh  Netscape 4.73

Verified as not vulnerable:
Linux Netscape 4.73 + PSM
Windows 98 Netscape 4.73 + PSM
Windows 98 Microsoft Internet Explorer 5.00.2614.3500


Solutions
=========

There is a limited software solution if you run Linux, Solaris, or
Windows95/98/NT.  Otherwise, you will have to manually inspect server
certificates in Netscape.  The CERT CA-2000-8 advisory better explains
the non-software solution.

If you run one of the above operating systems, then you must install
BOTH Netscape Communicator (v4.73) and the iPlanet Personal Security
Manager (PSM) for the full fix.  PSM appears to manage certificates
more securely.  Note, several people have reported problems installing
PSM.  I was able to install PSM successfully in Linux and Windows98,
but sometimes the installation script would fail from a yet
undetermined cause.

Netscape 4.73 download:
http://home.netscape.com/download/

iPlanet Personal Security Manger download:
http://www.iplanet.com/downloads/download/detail_128_316.html

Again, installing the newest Netscape 4.73 alone does NOT fix this
problem.  You must also install PSM.  iPlanet's PSM does not yet exist
for the Macintosh.


Acknowledgements
================

Thank you to Shawn Hernan from CERT, Mitja Kolsek (from Advisory
CA-2000-5), Kevin Murray from Netscape, and Jon Guyer (who
independently found the same bug) for their cooperation and
assistance.


References
==========

Inconsistent Warning Messages in Netscape Navigator
CERT Advisory CA-2000-08, May 26, 2000
http://www.cert.org/advisories/CA-2000-08.html

Netscape Navigator Improperly Validates SSL Sessions
CERT Advisory CA-2000-05, May 12, 2000
http://www.cert.org/advisories/CA-2000-05.html

RSA Security Site Defaced, Feb 14, 2000
http://www.zdnet.com/zdnn/stories/news/0,4586,2437384,00.html


Author Contact Info
===================

Kevin Fu <fubob@mit.edu>
MIT Laboratory for Computer Science
545 Tech Square
Cambridge, MA 02139

If possible, please send correspondence encrypted with PGP.  My key
available from the key servers or
https://snafu.fooworld.org/~fubob/pgp.html

PGP Key ID: 0xE0FD2589
PGP fingerprint: E183 68C5 1D46 1717 9CD5 E9AB D33B 1EB5


Disclaimer
==========

The information in this report is purely informational and meant only
for the purpose of education and protection.  Kevin Fu shall in no
event be liable for any damage whatsoever, direct or implied, arising
from use or spread of this information.  The use of information in
this report is entirely at the user's risk.


Copyright 2000 Kevin Fu
=======================

You may distribute copies of this report provided that the
PGP-signature remains intact and the report remains unchanged within
the PGP-signed message.  Check
http://snafu.fooworld.org/~fubob/netscape-ssl.html for updates to this
advisory.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBOS5+uUWdEt/g/SWJAQFi/Af8Dx+dATp0tr3dWp1iVw0Evf2GvG9VDWMh
318vMTAqiDcECfxDitiH7oPGX+DrT584WbDcMOb3kfec8NbkfDUrvOs2ft7xgCh3
lcQkaleoWforZIAPZEbeurqaOC2cySUWewgsf6pEyhv6PuzzIlkfKU+YCKKfhdmg
QA5C+qqWUzGWVrJuB+95sp2/0sKkH8toiWxJgwsPMybL58mpz3dS6UwPQUiTYVPB
qrW+7+vGRKwm4FVKlNcaNSegu34ciIL8f8uemcSOzIdJbNhj8KZU6HJWjakafQEi
2uHtTjqAQQAHDLrH1KMBtOdKOpgIAUywhvmhDS4/CfxDDqlDZenkoA==
=uB/F
-----END PGP SIGNATURE-----


--------
Kevin E. Fu (fubob@mit.edu)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html