Internet Explorer Ssl Vulnerability

Exploit Available: http://www.thoughtcrime.org/ie.html

From moxie@thoughtcrime.org Tue Aug 6 13:42:57 2002

Date: Mon, 5 Aug 2002 16:03:29 -0700 (PDT)

From: Mike Benham

To: bugtraq@securityfocus.com

Subject: IE SSL Vulnerability

========================================================================

Internet Explorer SSL Vulnerability 08/05/02

Mike Benham

http://www.thoughtcrime.org

========================================================================

Abstract

Internet Explorer's implementation of SSL contains a vulnerability that

allows for an active, undetected, man in the middle attack. No dialogs

are shown, no warnings are given.

========================================================================

Description

In the normal case, the administrator of a web site might wish to provide

secure communication via SSL. To do so, the administrator generates a

certificate and has it signed by a Certificate Authority. The generated

certificate should list the URL of the secure web site in the Common Name

field of the Distinguished Name section.

The CA verifies that the administrator legitimately owns the URL in the CN

field, signs the certificate, and gives it back. Assuming the

administrator is trying to secure www.thoughtcrime.org, we now have the

following certificate structure:

[CERT - Issuer: VeriSign / Subject: VeriSign]

-> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]

When a web browser receives this, it should verify that the CN field

matches the domain it just connected to, and that it's signed using a

known CA certificate. No man in the middle attack is possible because it

should not be possible to substitute a certificate with a valid CN and a

valid signature.

However, there is a slightly more complicated scenario. Sometimes it is

convenient to delegate signing authority to more localized authorities.

In this case, the administrator of www.thoughtcrime.org would get a chain

of certificates from the localized authority:

[Issuer: VeriSign / Subject: VeriSign]

-> [Issuer: VeriSign / Subject: Intermediate CA]

-> [Issuer: Intermediate CA / Subject: www.thoughtcrime.org]

When a web browser receives this, it should verify that the CN field of

the leaf certificate matches the domain it just connected to, that it's

signed by the intermediate CA, and that the intermediate CA is signed by a

known CA certificate. Finally, the web browser should also check that all

intermediate certificates have valid CA Basic Constraints.

You guessed it, Internet Explorer does not check the Basic Constraints.

==========================================================================

Exploit

So what does this mean? This means that as far as IE is concerned, anyone

with a valid CA-signed certificate for ANY domain can generate a valid

CA-signed certificate for ANY OTHER domain.

As the unscrupulous administrator of www.thoughtcrime.org, I can generate

a valid certificate and request a signature from VeriSign:

[CERT - Issuer: VeriSign / Subject: VeriSign]

-> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]

Then I generate a certificate for any domain I want, and sign it using my

run-of-the-mill joe-blow CA-signed certificate:

[CERT - Issuer: VeriSign / Subject: VeriSign]

-> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]

-> [CERT - Issuer: www.thoughtcrime.org / Subject: www.amazon.com]

Since IE doesn't check the Basic Constraints on the www.thoughtcrime.org

certificate, it accepts this certificate chain as valid for

www.amazon.com.

Anyone with any