Hosting Provided By

Ruby Net::HTTPS library does not validate server certificate CN

From: Chris Clark <cclark(at)isecpartners.com>
Date: Thu Sep 27 2007 - 19:01:36 EDT

iSEC Partners Security Advisory - 2007-006-RubySSL http://www.isecpartners.com

Vendor: Ruby
Vendor URL: http://www.ruby-lang.org
Versions affected: 1.8.5, 1.8.6, Trunk Ruby Systems Affected: All Ruby Platforms
Severity: Medium - Compromise of SSL connection integrity Author: Chris Clark <cclark[at]isecpartners[dot]com>

Vendor notified: Yes
Public release: Yes
Advisory URL: http://www.isecpartners.com/advisories/2007-006-rubyssl.txt

Summary:

The Ruby Net::HTTP and Net::HTTPS library can be used to make HTTP or HTTPS connections to remote websites. There are several methods for performing these types of connections within the Ruby standard library but the Net::HTTP library is recommended going forward.

A vulnerability results from the Net::HTTPS library failing to validate the name on the SSL certificate agains the DNS name requested by the user. By not validating the name, the library allows an attacker to present a cryptographically valid certificate with an invalid CN.

Details:

The vulnerability is caused by the method connect within http.rb file failing to call post_connection_check after the SSL connection has been negotiated. Since the server certificates CN is not validated against the requested DNS name, the attacker can impersonate the target server in a SSL connection. The integrity and confidentiality benefits of SSL are removed by this vulnerability.

Example:

Do you need help?

If the application uses the following code to connect to the ip address of https://www.citicards.com:

url = "192.193.222.24" #www.citicards.com IP path = "/"
http = Net::HTTP.new(url, 443)

http.use_ssl = true
http.ca_file = "verisign.pem"
http.verify_mode = OpenSSL::SSL::VERIFY_PEER

resp, data = http.get(path, nil)

The connection will succeed. This is an obvious failure as the certificate presented has a CN of www.citicards.com. One caveat is that the attacker must possess a certificate signed by the CA specified in the ca_file attribute.

Fix Information:

This issue has been addressed by adding the appropriate post connection check within http.rb. These patches add the enable_post_connection parameter, which if set to true, will cause the Net::HTTP library to raise an exception when the post connection check fails.

The following trunk Ruby checkin contains the related changes: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500

Ruby 1.8.5:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502

Ruby 1.8.6:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504

Thanks to:

Rachel Engel, GOTOU Yuuzou, and Minero Aoki

Do you need more help?

About iSEC Partners:

iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification, with offices in San Francisco, Seattle, Ewa Beach, and Los Angeles.

http://www.isecpartners.com
info@isecpartners.com Received on Fri Sep 28 11:28:46 2007

This message: [ Message body ]
Next message: Kees Cook: "[USN-521-1] libmodplug vulnerability"
Previous message: Tor Houghton: "Promise NAS NS4300N GUI bug"
Next in thread: Thomas: "Re: Ruby Net::HTTPS library does not validate server certificate CN"
Reply: Thomas: "Re: Ruby Net::HTTPS library does not validate server certificate CN"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:18:25 EDT