** Description changed: - Hostname verification is an important step when verifying X509 - certificates, however, people tend to miss the step or to misunderstand - the APIs when using SSL/TLS, which might cause severe man in the middle - attack and break the entire TLS mechanism. - We believe that freetds-bin didn't check whether the hostname matches - the name in the SSL certificate and the expired date of the certificate. + Recently, we are trying to find SSL security problems by static anaylsis. + For example, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. - We found the vulnerability by static analysis, typically, a process of - verification involves calling a chain of API, and we can deduce whether - the communication process is vulnerable by detecting whether the - function call process matches a certain model. For example, when using - OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), - we should verify the certificate by calling the function - SSL_get_peer_certificate() to get the certificate. If the source code - does not match this model, then we can deduce this code is vulnerable. - What’ more , Gnutls is the same as Openssl. + During the experiment, we find that freetds-bin didn't check whether the + hostname matches the name in the SSL certificate and the expired date of + the certificate. - To verify the result: + + To verify the result, we attack the software manually: 一.Hostname verification: 1. configure the file freetds.conf : # A typical Microsoft server [sqlserver2000] host = hackbyfun.sqlserver.com port = 1433 tds version = 8.0 encrpytion = require 2.wirte the file /etc/hosts in order to simulate DNS hijack: 10.214.146.123 hackbyfun.sqlserver.com (PS: 10.214.146.123 is a normal sql server ip, its domain name is safe.sqlserver.com ) 3.connect with freetds-bin tsql -S sqlserver2000 -U sa -P <your password> 4.result:connect succeed!! The fetch succeeded, indicating freetds-bin didn't check the hostname against the signee of the certificate. 二. Also for expired time check, 1. change the system time to 2200 to guarantee the certificate to be expired. 2. the same as the above process. Run freetds-bin to connect a normal sql server 3. result :connect succeed!! The fetch succeeded again and no warning was given, indicating freetds- bin didn't check whether the certificate expired or not. (PS: I have saved the wireshark packages, and upload these files) I am running freetds-bin 9.1-5 in ubuntu 14.04 LTS. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks.
** Description changed: - Recently, we are trying to find SSL security problems by static anaylsis. For example, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. During the experiment, we find that freetds-bin didn't check whether the hostname matches the name in the SSL certificate and the expired date of the certificate. - To verify the result, we attack the software manually: 一.Hostname verification: 1. configure the file freetds.conf : # A typical Microsoft server [sqlserver2000] host = hackbyfun.sqlserver.com port = 1433 tds version = 8.0 encrpytion = require 2.wirte the file /etc/hosts in order to simulate DNS hijack: 10.214.146.123 hackbyfun.sqlserver.com (PS: 10.214.146.123 is a normal sql server ip, its domain name is safe.sqlserver.com ) 3.connect with freetds-bin tsql -S sqlserver2000 -U sa -P <your password> 4.result:connect succeed!! The fetch succeeded, indicating freetds-bin didn't check the hostname against the signee of the certificate. 二. Also for expired time check, 1. change the system time to 2200 to guarantee the certificate to be expired. 2. the same as the above process. Run freetds-bin to connect a normal sql server 3. result :connect succeed!! The fetch succeeded again and no warning was given, indicating freetds- bin didn't check whether the certificate expired or not. (PS: I have saved the wireshark packages, and upload these files) I am running freetds-bin 9.1-5 in ubuntu 14.04 LTS. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1376592 Title: X509 certificate verification problem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freetds/+bug/1376592/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
