** Description changed:
Hostname verification is an important step when verifying X509
certificates, however, people tend to miss the step when using SSL/TLS,
which might cause severe man in the middle attack and break the entire
TLS mechanism.
We believe that mailfilter didn't check whether the hostname matches the
name in the ssl certificate and the expired date of the certificate.
+ We found the vulnerability by static analysis, typically, a process of
verfication involves calling a chain of API, and we can deduce whether the
communication process is vulnerable by detecting whether the verfication
follows a certain process.
+ The result format is like this:
+ notice: Line Number@Method Name, Source File
+
+ We provide this result for developers to locate the problem faster.
+
+ This is the result for mailfilter:
+ [PDG]Socket::c_open(const char *, int, int, int)
+ [Found]SSL_connect()
+ [HASH] 4222839072 [LineNo]@ 178[Kind]call-site[Char] SSL_connect
()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
+ [INFO] API SSL_new() Found! --> [HASH] 382462720 [LineNo]@
161[Kind]call-site[Char] SSL_new ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
+ [INFO] API SSL_CTX_new() Found! --> [HASH] 3612132685 [LineNo]@
124[Kind]call-site[Char] SSL_CTX_new ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
+ [INFO] API SSLv23_client_method() Found! --> [HASH] 1228347384
[LineNo]@ 123[Kind]call-site[Char] SSLv23_client_method ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
+ [Warning] No SSL_get_peer_certificate() && SSL_get_verify_result()
APIs found! Potentially vulnerable!!!
+
To verify the result:
+ {\verfication process
1.choose a pop3s mail server. (write the configuration in ~/.mailfilterrc)
2.Find the ip of the mail server, and add the line in /etc/hosts
"IP HostnameOfTheMailServer"
3.run mailfilter to fetch the mail in the mailserver through pop3s.
The fetch succeeded, indicating mailfilter didn't check the hostname
against the signee of the certificate.
Also for expired time check,
1. change the system time to 2200 to guarantee the certificate to be expired.
2. run mailfilter to fetch the mail in the mailserver through pop3s.
+ }
The fetch succeeded again and no warning was given, indicating
mailfilter didn't check whether the certificate expired or not.
- I am running mailfilter 0.8.2 in ubuntu 14.04 LTS.
+ I am running mailfilter 0.8.3-1 in ubuntu 14.04 LTS.
for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
** Description changed:
Hostname verification is an important step when verifying X509
certificates, however, people tend to miss the step when using SSL/TLS,
which might cause severe man in the middle attack and break the entire
TLS mechanism.
We believe that mailfilter didn't check whether the hostname matches the
name in the ssl certificate and the expired date of the certificate.
- We found the vulnerability by static analysis, typically, a process of
verfication involves calling a chain of API, and we can deduce whether the
communication process is vulnerable by detecting whether the verfication
follows a certain process.
+ We found the vulnerability by static analysis, typically, a process of
+ verfication involves calling a chain of API, and we can deduce whether
+ the communication process is vulnerable by detecting whether the
+ verfication follows a certain process.
+
The result format is like this:
notice: Line Number@Method Name, Source File
-
- We provide this result for developers to locate the problem faster.
+ We provide this result to help developers to locate the problem faster.
This is the result for mailfilter:
[PDG]Socket::c_open(const char *, int, int, int)
- [Found]SSL_connect()
- [HASH] 4222839072 [LineNo]@ 178[Kind]call-site[Char] SSL_connect
()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
- [INFO] API SSL_new() Found! --> [HASH] 382462720 [LineNo]@
161[Kind]call-site[Char] SSL_new ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
- [INFO] API SSL_CTX_new() Found! --> [HASH] 3612132685 [LineNo]@
124[Kind]call-site[Char] SSL_CTX_new ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
- [INFO] API SSLv23_client_method() Found! --> [HASH] 1228347384
[LineNo]@ 123[Kind]call-site[Char] SSLv23_client_method ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
- [Warning] No SSL_get_peer_certificate() && SSL_get_verify_result()
APIs found! Potentially vulnerable!!!
+ [Found]SSL_connect()
+ [HASH] 4222839072 [LineNo]@ 178[Kind]call-site[Char] SSL_connect
()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
+ [INFO] API SSL_new() Found! --> [HASH] 382462720 [LineNo]@
161[Kind]call-site[Char] SSL_new ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
+ [INFO] API SSL_CTX_new() Found! --> [HASH] 3612132685 [LineNo]@
124[Kind]call-site[Char] SSL_CTX_new ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
+ [INFO] API SSLv23_client_method() Found! --> [HASH] 1228347384
[LineNo]@ 123[Kind]call-site[Char] SSLv23_client_method ()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/mailfilter/mailfilter-0.8.2/src/socket.cc
+ [Warning] No SSL_get_peer_certificate() && SSL_get_verify_result()
APIs found! Potentially vulnerable!!!
To verify the result:
{\verfication process
1.choose a pop3s mail server. (write the configuration in ~/.mailfilterrc)
2.Find the ip of the mail server, and add the line in /etc/hosts
"IP HostnameOfTheMailServer"
3.run mailfilter to fetch the mail in the mailserver through pop3s.
The fetch succeeded, indicating mailfilter didn't check the hostname
against the signee of the certificate.
Also for expired time check,
1. change the system time to 2200 to guarantee the certificate to be expired.
2. run mailfilter to fetch the mail in the mailserver through pop3s.
}
The fetch succeeded again and no warning was given, indicating
mailfilter didn't check whether the certificate expired or not.
I am running mailfilter 0.8.3-1 in ubuntu 14.04 LTS.
for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1370987
Title:
didn't check hostname and expired time in ssl verfication
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailfilter/+bug/1370987/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
