[Bug 1374723] [NEW] X509 certificate verification problem

Sat, 27 Sep 2014 04:02:06 -0700 

Public bug reported:

Hostname verification is an important step when verifying X509
certificates, however, people tend to miss the step when using SSL/TLS,
which might cause severe man in the middle attack and break the entire
TLS mechanism.

We believe that nagircbot didn't check whether the hostname matches the
name in the ssl certificate and the expired date of the certificate.

We found the vulnerability by static analysis, typically, a process of 
verfication involves calling a chain of API, and we can deduce whether the 
communication process is vulnerable by detecting whether the process satisfies 
a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File

We provide this result to help developers to locate the problem faster.

This is the result for nagircbot:
[PDG]ssl_handshake
        [Found]SSL_connect()
        [HASH] 3864143967 [LineNo]@ 17[Kind]call-site[Char] SSL_connect()[Src] 
/home/roca/workspace/codebase/code/ubuntu_pkg/nagircbot/nagircbot-0.0.33/ssl.c
        [Warning] SSL_new() not found!

To verify the result:
1.choose a irc website
2.Find the ip of the website, and add the line in /etc/hosts
"IP FakeHostnameOfTheMailServer" suppose it's fake.irc
3.nagircbot -c \#nagircbot -s fake.irc:6697

The connection is established, indicating nagircbot didn't check the
hostname of the server against the certificate.

Also for expired time check,
1. change the system time to 2200 to guarantee the certificate to be expired.
2. nagircbot -c \#nagircbot -s irchostname:6697
The connection is established again and no warning was given, indicating 
nagircbot didn't check whether the certificate expired or not.

I am running nagircbot 0.0.33-2 in ubuntu 14.04 LTS.

for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf

Thanks.

** Affects: nagircbot (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1374723

Title:
  X509 certificate verification problem

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagircbot/+bug/1374723/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to