[Bug 1380439] [NEW] ftp-ssl's ssl connection is not secure

Sun, 12 Oct 2014 19:21:04 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

Recently, we are trying to find SSL security problems by static
analysis. For example, as we all know, Hostname verification is an
important step when verifying X509 certificates, however, people tend to
miss the step or to misunderstand the APIs when using SSL/TLS, which
might cause severe man in the middle attack and break the entire TLS
mechanism. And static analysis is a way of finding whether the APIs are
called correctly.

Now, we find some SSL problems in ftp-ssl :
1. ftp-ssl miss hostname check when verify x509 certificate
2. ftp-ssl miss expired time check when verify x509 certificate

More specifically , we can take function SSL_CTX_set_verify() for
example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx,
SSL_VERIFY_NONE, null), we should verify the certificate by calling the
function SSL_get_peer_certificate() to get the certificate at first.
Then use X509 APIs or self-define function to verify the certificate we
get. If the source code does not match this model, then we can deduce
this code is vulnerable. And other APIs have similar problems.

To verify the result we make, we attack the software manually.

we take  expired time check for example :
1. change the system time to 2200 to guarantee the certificate to be expired.

2. run command : ftp-ssl  -z debug 192.168.68.130
    (PS:192.168.68.130 is a norml ftp server)

3. result:succeed!!

The fetch succeeded again and no warning was given, indicating the
software didn't check whether the certificate expired or not.

PS:
for more information, you can see the paper: 
http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
and more details you can contact with us, we will be very glad for your 
responce.

Thanks.

** Affects: netkit-ftp-ssl (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1380439

Title:
  ftp-ssl's ssl connection is not secure

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netkit-ftp-ssl/+bug/1380439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to