** Description changed:
- Hostname verification is an important step when verifying X509
- certificates, however, people tend to miss the step or to misunderstand
- the APIs when using SSL/TLS, which might cause severe man in the middle
- attack and break the entire TLS mechanism.
+ Recently, we are trying to find SSL security problems by static anaylsis.
+ For example, Hostname verification is an important step when verifying X509
certificates, however, people tend to miss the step or to misunderstand the
APIs when using SSL/TLS, which might cause severe man in the middle attack and
break the entire TLS mechanism.
- We believe that xxxterm didn't check whether the hostname matches the
- name in the SSL certificate and the expired date of the certificate.
+ During the experiment, we find that xxxterm didn't check whether the
+ hostname matches the name in the SSL certificate and the expired date of
+ the certificate.The followind is details:
- We found the vulnerability by static analysis, typically, a process of
- verification involves calling a chain of API, and we can deduce whether
- the communication process is vulnerable by detecting whether the
- function call process matches a certain model. For example, when using
- OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null),
- we should verify the certificate by calling the function
- SSL_get_peer_certificate() to get the certificate. If the source code
- does not match this model, then we can deduce this code is vulnerable.
- What’ more , Gnutls is the same as Openssl.
+ 1.
+ file: /xxxterm-1.10.0/xxxterm.c
+ problem: Hostname verification missing
+ 2.
+ file: /xxxterm-1.10.0/xxxterm.c
+ problem: expired date check missing
- This is the result for xxxterm:
- /xxxterm-1.10.0/xxxterm.c have problems.
- Host name verification missing
+ To verify the result, we attack the software manually:
- We provide this result to help developers to locate the problem faster.
-
-
- To verify the result:
一. Hostname check
1.configure /etc/hosts in order to simulate DNS hijack
- 42.62.48.90 www.facebook.com
- # 42.62.48.90 is the ip of i.mi.com
+ 42.62.48.90 www.facebook.com
+ # 42.62.48.90 is the ip of i.mi.com
2. visit the website https://www.facebook.com with xxxterm
3. result : connecting succeed without any warning!!!
-
- The fetch succeeded, indicating xxxterm didn't check the hostname against the
signee of the certificate.
+ The fetch succeeded, indicating xxxterm didn't check the hostname
+ against the signee of the certificate.
二.Also for expired time check,
1. change the system time to 2200 to guarantee the certificate to be expired.
2. run xxxterm to visit any https website, such as https://www.youtube.com.
3. result : succeed without any warning!!
The fetch succeeded again and no warning was given, indicating xxxterm
didn't check whether the certificate expired or not.
I am running xxxterm 1.11.3-1.2 in ubuntu 14.04 LTS.
I have save the SSL connecting packages and upload these wireshark files.
for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1378617
Title:
xxxterm has SSL security problems
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xxxterm/+bug/1378617/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs