Null-Prefix SSL Attacks Enabled In New sslsniff

← Back to Stories (view on slashdot.org)

Null-Prefix SSL Attacks Enabled In New sslsniff

Posted by timothy on Tuesday August 4, 2009 @01:53AM from the ready-or-not-here-it-comes dept.

An anonymous reader writes "Moxie Marlinspike, who recently published new attacks on SSL at Defcon 17, seems to have released the new version of sslsniff which supports these attacks. While the release appears to coincide with a patch from Mozilla, every product that uses the Microsoft CryptoAPI is still vulnerable, including Internet Explorer and Outlook. The new version of sslsniff also supports built-in modes for hijacking software auto-updates that depend on SSL, and apparently includes techniques for defeating OCSP as well — making the elimination of existing null-prefix certificates difficult."

48 comments

Min score:

Reason:

Sort:

New toy by b1nary+atr0phy · 2009-08-04 01:59 · Score: 0

Hmmm..good. I've been looking for some new toys.
1. Re:New toy by Anonymous Coward · 2009-08-04 02:55 · Score: 1, Funny
  
  Have you tried a vibrating butt plug?
SSLSniff? by Anonymous Coward · 2009-08-04 02:02 · Score: 0

Sniffing SSL isn't good for your nasals
Re:fp by v1 · 2009-08-04 02:03 · Score: 1

but they've already got WIndows installed?

--
I work for the Department of Redundancy Department.
Re:Just to make things easier in the future by Anonymous Coward · 2009-08-04 02:07 · Score: 0

Every product is still vulnerable.
FTFY
Appears to coincide.. by sys.stdout.write · 2009-08-04 02:10 · Score: 4, Insightful

appears to coincide with a patch from Mozilla
If some guy waited until Microsoft fixed a vulnerability to release a patch, but not before Mozilla fixed the patch, then we would all be crying foul.

Since it's the other way around, nobody will have a problem I'm sure.
1. Re:Appears to coincide.. by sys.stdout.write · 2009-08-04 02:11 · Score: 4, Funny
  
  And by "fixed the patch" I mean "I'm retarded".
  
  English is hard.
2. Re:Appears to coincide.. by Kurusuki · 2009-08-04 02:15 · Score: 1
  
  If one waited until Microsoft fixed a vulnerability we'd be waiting until Hell is ordering winter parkas
3. Re:Appears to coincide.. by Anonymous Coward · 2009-08-04 02:38 · Score: 0
  
  I'm curious if this exploit also affects non-browsers such as wget and repository package managers.
4. Re:Appears to coincide.. by The+MAZZTer · 2009-08-04 02:48 · Score: 2, Informative
  
  Microsoft issue a fix before Mozilla? I don't think you understand how "Patch Tuesday" works.
5. Re:Appears to coincide.. by BasharTeg · 2009-08-04 03:01 · Score: 3, Interesting
  
  You're absolutely right. If this guy didn't inform anyone except Mozilla, he's bringing browsers wars to a new low, by being willing to expose a majority of web users involved in e-commerce and other "secure" online access to his vulnerability for whatever the lead time of patching is, but exempting users of his favorite browser. IF that's what he did, that's ridiculous, childish, and petty.
  What about all the other vendors of SSL dependent software? SSL based VPNs like OpenVPN for example. No love for them either? Just Mozilla?
  It shows how people like Dan K are smart enough to recognize major vulnerabilities that can potentially affect massive amounts of service/traffic/commerce need to be handled differently. It doesn't reduce the respect you gain as a security researcher for finding such a major flaw to give vendors notification in a reasonable time period before publication. I'm all for full disclosure as a means of punishing companies that don't respond, but for larger vulnerabilities I think notification and a deadline are the way to go.
6. Re:Appears to coincide.. by mrsteveman1 · 2009-08-04 03:03 · Score: 5, Funny
  
  I do, it comes right after "oh-shit-we're-screwed sunday and "pwned monday".
7. Re:Appears to coincide.. by Anonymous Coward · 2009-08-04 03:19 · Score: 0
  
  Don't beat yourself up. I still didn't get what was wrong with the wording in that other story summary "a bit faster, ... 5 times less power, ... 10 times cheaper."
8. Re:Appears to coincide.. by Anonymous Coward · 2009-08-04 03:26 · Score: 1, Informative
  
  If this guy didn't inform anyone except Mozilla...
  From the security advisory at Mozilla
  
  Mozilla would like to thank Dan and the Microsoft Vulnerability Research team for coordinating a multiple-vendor response to this problem.
  Looks like MS was informed (as they certainly should have been), just considerably slower on the fix (imagine that?). How long should have Mozilla waited before releasing their fix? Until after Windows 7 ships and MS decides they can afford some dev cycles to go patch WinXP?
9. Re:Appears to coincide.. by John+Hasler · 2009-08-04 03:35 · Score: 2, Insightful
  
  Evidently Mozilla was notified as early as February. What makes you think that Microsoft wasn't notified at the same time?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
10. Re:Appears to coincide.. by John+Hasler · 2009-08-04 03:37 · Score: 1
  
  According to the article Dan K was one of the people who discovered the flaw. Why do you assume that Microsoft and others weren't notified months ago when Mozilla was?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
11. Re:Appears to coincide.. by gnasher719 · 2009-08-04 03:41 · Score: 4, Informative
  
  You're absolutely right. If this guy didn't inform anyone except Mozilla, he's bringing browsers wars to a new low, by being willing to expose a majority of web users involved in e-commerce and other "secure" online access to his vulnerability for whatever the lead time of patching is, but exempting users of his favorite browser. IF that's what he did, that's ridiculous, childish, and petty.
  Reading the article, there seemed to be a good reason to inform Mozilla first, because they were the most vulnerable. Apparently, to spoof say Internet Explorer, you need a certificate for "www.ebay.com\0.evilhackers.com", one for "www.amazon.com\0.evilhackers.com" and so on, but to spoof Mozilla-based browsers, a certificate for "*\0.evilhackers.com" will be accepted for _every_ site in existence.
12. Re:Appears to coincide.. by Ingenium13 · 2009-08-04 04:48 · Score: 1
  
  OpenVPN wouldn't be affected by this. Unlike a browser, it doesn't go fetch a certificate and verify it against the domain name of the server; instead, the client already has the certificate and compares it to the server's certificate. In other words, OpenVPN's certificates aren't based on domain names. I'm pretty sure other SSL based VPNs are the same.
13. Re:Appears to coincide.. by Anonymous Coward · 2009-08-04 08:17 · Score: 0
  
  "5 times less" makes absolutely no sense. The most valid interpretation I can think of would be A - 5A = -4A. Five times than something is four times its negative. Similarly, "2 times more" or "200% increase" means A + 2A = 3A, or triple the original value, whereas "Twice as many" or "Twice as much" clearly means 2A.
  I think using the word "times" in this context is rather slangy and ambiguous. I wish they never taught it to me in grade school.
14. Re:Appears to coincide.. by Benfea · 2009-08-04 09:32 · Score: 1
  
  I refuse to accept your answer! You are clearly part of the conspiracy against Microsoft! *chews on carpet*
15. Re:Appears to coincide.. by Curtman · 2009-08-05 22:50 · Score: 1
  
  And stunnel which makes non-SSL apps into SSL capable apps.
Winning combination by Norsefire · 2009-08-04 02:11 · Score: 5, Funny

Excellent technical skills, interest in hacking and a name that no security department will take seriously.
1. Re:Winning combination by MyLongNickName · 2009-08-04 02:30 · Score: 5, Funny
  
  Moxie Marlinspike? I thought we had a new Ubuntu release. And I was wondering what happened to the L's.
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
2. Re:Winning combination by Anonymous Coward · 2009-08-04 14:44 · Score: 0
  
  Oh, you fucking bastard, you made me crap my pants.
linux spell check? by Anonymous Coward · 2009-08-04 02:12 · Score: 0

does linux have a spell check? "atttacks"?
C null-terminated string brain damage! by morgan_greywolf · 2009-08-04 02:21 · Score: 1

Gotta love that C null-terminated string brain damage!\0Heh. Stupid fsckers will never see this!!!

--
My blog
1. Re:C null-terminated string brain damage! by bill_mcgonigle · 2009-08-04 08:40 · Score: 1
  
  Gotta love that C null-terminated string brain damage!\0Heh. Stupid fsckers will never see this!!!
  
  Yay, Slashdot is written in perl. ;)
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Say what you will about CryptoAPI by Anonymous Coward · 2009-08-04 02:23 · Score: 0

... it's a hell of a lot easier to use than OpenSSL.
1. Re:Say what you will about CryptoAPI by Anonymous Coward · 2009-08-04 02:33 · Score: 0
  
  Dude, OpenSSL is so much easier. I write my own openssl.conf files from scratch. I'm hardcore.
2. Re:Say what you will about CryptoAPI by Anonymous Coward · 2009-08-04 02:46 · Score: 0
  
  Careful with that. You forgot all the:
  This post includes cryptographic software written by ...
3. Re:Say what you will about CryptoAPI by DarkOx · 2009-08-04 09:05 · Score: 1
  
  What planet are you on? CryptoAPI is only easier if all you want is the most basic web server certificate functions. As soon as you start wanting to do any custom subjects or anything else even slightly outside the the nine dots CryptoAPI is a confusing mess.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Protocols by ledow · 2009-08-04 02:24 · Score: 2, Interesting

Just wondering... will this help analysis of some "secured" protocols, maybe?
I don't know how it works, but let's say something like Steam uses SSL or similar (I have no idea if it does, just pretend)... before we couldn't do the protocol analysis without a massive reverse-engineering going on (could only see "client to server" messages because we only have access to the client's private key). Now we might be able to fool non-patched SSL programs to believe that they are talking to an authentic server without having to delve into their code and thus be able to see / fake both sides of the conversation?
Am I way off the mark, or is this now possible with unpatched programs relying on SSL etc. layers to hide their protocols?
1. Re:Protocols by nxtw · 2009-08-04 02:40 · Score: 1
  
  If the program uses a known API for encrypted communication and is linked dynamically, one could simply provide a shared library/DLL that copies the unencrypted messages... the API implementation used doesn't even have to be open source, as one could just write an intermediary library that implements all the functions of the original and copies the data before calling the original library.
  If the program dynamically links to an open-source library for encryption, or runs on Wine, you can just modify the implementation.
dot your i's and cross your t's by kronosopher · 2009-08-04 02:26 · Score: 2, Funny

.. even extra unnecessary ones.

Is an "atttack" anything like an "attack"?
1. Re:dot your i's and cross your t's by TheRaven64 · 2009-08-04 02:48 · Score: 2, Funny
  
  It's an attack with Mr T in the middle.
  
  --
  I am TheRaven on Soylent News
2. Re:dot your i's and cross your t's by dkleinsc · 2009-08-04 03:24 · Score: 1
  
  Well, in that case I pity the foo' who can't spell right.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
3. Re:dot your i's and cross your t's by Ironica · 2009-08-04 07:50 · Score: 2, Funny
  
  It's an attack with Mr T in the middle.
  You mean it's a man-in-the-middle attack?
  
  --
  Don't you wish your girlfriend was a geek like me?
Re:Just to make things easier in the future by gparent · 2009-08-04 02:36 · Score: 3, Insightful

every product [...] is still vulnerable,
Fixed.
The actual paper by Anonymous Coward · 2009-08-04 02:45 · Score: 4, Informative

Here's a link to the actual paper on the topic:
http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf
Yeah, right by FranTaylor · 2009-08-04 02:59 · Score: 2, Interesting

That is the first thing they think of. You can bet your lunch money that they statically link their crypto library, and then obfuscate the binary for good measure.
1. Re:Yeah, right by greed · 2009-08-04 07:50 · Score: 2, Interesting
  
  Mua-ha-ha-ha.
  I've run into one of those annoying runtime licensing systems that not only uses out-of-the-box static build of OpenSSL in its code, it's an older version, too.
  Unobfuscated. With all the original OpenSSL symbol names. But they don't provide _all_ of OpenSSL, so you can't just use their old & busted one.
  Yes, this causes a serious multiple-definition problem if you want to use that library in an SSL application.
  Their "fix"? "Remove these filenames from the .a file we sent you. And these ones. And these, too."
NoLoveForDanKaminsky by StickyWidget · 2009-08-04 04:16 · Score: 1

You gets no love.
Tagged:noLoveForDanKaminsky
~Sticky
Don't forget the time machine by someone1234 · 2009-08-04 05:21 · Score: 1

And it would require some kind of time machine to jump back before Mozilla fixed the same vulnerability.

--
Patents Drive Free Software as Hurricanes Drive Construction Industry
Interesting, but not exactly new by BillX · 2009-08-04 15:49 · Score: 1

He found that if he created certificates for his own Internet domain that included null characters -- often represented with a \0 -- some programs would misinterpret the certificates.
That's because some programs stop reading text when they see a null character.
This is the same exploit used in an older Nintendo Wii jailbreak - people just keep on using strcmp and its cousins to compare hashes.

--
Caveat Emptor is not a business model.
Three parts to this by pclminion · 2009-08-04 15:57 · Score: 1

I saw Moxie's talk at BlackHat. Extremely good presentation. There are three things necessary to carry out this attack:
1. You need to convince a CA to sign your CR when you have a \0 in the common name.
2. You need to target a browser or other application that uses a vulnerable certificate parser.
3. You need to be able to execute a MitM attack.
And of course, there's a weak "4":
4. You need to be able to forge the OCRP "Try later" response, which is trivial since you're already "in the middle."
As far as part #1, the CAs have been informed, and no longer will sign a CR where the common name has a \0 character. But there may be (in fact, definitely are) null-prefix certificates in the wild which were created before this issue was widely known
As far as part #2, the application teams are scrambling to fix their implementations
As far as part #3, the various MitM methods are well known and not specific to this attack
As far as part #4, the OCRP protocol is terminally brain dead and needs to be chucked out the window, or at least revised such that all of the valid response codes require a signature payload to authenticate that the OCRP response is actually from a legitimate CA