On 2018-03-02 02:56, Hector Martin 'marcan' via dev-security-policy wrote: > On 2018-03-02 00:28, Hanno Böck via dev-security-policy wrote: >> Hi, >> >> On twitter there are currently some people poking Trustico's web >> interface and found trivial script injections: >> https://twitter.com/svblxyz/status/969220402768736258 >> >> Which seem to run as root: >> https://twitter.com/cujanovic/status/969229397508153350 >> >> I haven't tried to reproduce it, but it sounds legit. > > Unsurprisingly, the entire server is now down. If Trustico are lucky, > someone just `rm -rf /`ed the whole thing. If they aren't, they now have > a bunch of persistent backdoors in their network. > > Now the interesting question is whether this vector could've been used > to recover any/all archived private keys. > > As I understand it, Trustico is in the process of terminating their > relationship with Digicert and switching to Comodo for issuance. I have > a question for Digicert, Comodo, and other CAs: do you do any vetting of > resellers for best practices? While clearly most of the security burden > rests with the CA, this example shows that resellers with poor security > practices (archiving subscriber public keys, e-mailing them to trigger > revocation, trivial command injection vulnerabilities, running a PHP > frontend directly as root) can have a significant impact on the security > of the WebPKI for a large number of certificate holders. Are there any > concerns that the reputability of a CA might be impacted if they > willingly choose to partner with resellers which have demonstrated such > problems?
According to this report, 127.0.0.1 returned the SSL certificate of the Trustico server itself. This is evidence that no reverse proxy was in use, and thus, the private key of trustico.com was directly exposed to the code execution vector and could've been trivially exfiltrated: https://twitter.com/ebuildy/status/969230182295982080 Therefore, it is not unreasonable to assume that this key has been compromised. The certificate in use is this one: https://crt.sh/?id=206535041 At this point I would expect Comodo should revoke this certificate due to key compromise within the next 24 hours. -- Hector Martin "marcan" ([email protected]) Public Key: https://mrcn.st/pub _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
