Advisory EM01/2001: Interner Explorer HTTPS certificate attack



                           e-matters GmbH
www.e-matters.de

-= Security Advisory =-



Advisory: Interner Explorer HTTPS certificate attack
Release Date: 2001/12/22
Last Modified: 2001/12/25
Author: Stefan Esser [s.esser@hardened-php.net]

Application: Microsoft Internet Explorer 5.0/5.5/6.0
Severity: Vulnerability in IE's SSL Certificate handling allows
undetected SSL Man-In-The-Middle attacks
Risk: Very High
Vendor Status: Notified
Reference: http://security.e-matters.de/advisories/012001.html



Overview:

A flaw in Microsoft Internet Explorer allows an attacker to perform
a SSL Man-In-The-Middle attack without the majority of users recognising
it. In fact the only way to detect the attack is to manually compare the
server name with the name stored in the certificate.

For a basic introduction into SSL MIM attacks I recommend reading:

Phrack #57 - Hang on, Snoopy (by stealth)
http://www.phrack.org/show.php?p=57&a=13


Details:

There is a flaw in the way IE checks HTTPS objects that are embedded into
normal HTTP pages. According to my tests IE does only check if the certi-
ficate of the HTTPS server is properly signed by a trusted CA but totally
ignores if the cert was issued onto the correct name or has already ex-
pired. This is in fact not dangerous because the user considers HTTPS
objects embedded in a HTTP page not secure. The problem is that IE flags
the certificate as trusted and caches this certification trust until your
browser session ends. That means once you visited a normal http page that
included an image from the MIMed SSL Server, IE will not warn you about
an illegal site certificate as long the certificate was signed by f.e.
Verisign.

A possible scenario would be:

Hacker runs a MIM attacking tool for HTTP/HTTPS in the subnet of your
site. The HTTP part of the tool auto appends

<img src="https://www.yoursite.com/nonexistent.gif" width=1 height=1>

to any html page that is returned to your customer's browser and the
HTTPS part presents his browser a valid but stolen certificate for
www.shop.com. IE will only check if the cert was signed by a trusted CA
when trying to display the image and won't compare the name inside the
cert or check the expiration date. If your customer now tries to login
to your site via HTTPS IE will consider the cert trustworthy without
checking it again. Your customer will only be able to determine that he
was just tricked by manually checking the servername in the cert. But
you can be sure that only paranoid people would check. The majority of
people don't even know how they can do so. Imagine the hacker stole the
cert from "yoursite.de"... How many users of "yoursite.com" would not
trust a cert that was issued on "yoursite.de". The average user does
not know anything about SSL than it's making his payment "secure".


Proof of Concept:

A proof of concept webpage was put up at http://suspekt.org. Clicking
onto the "To the secure page..." link will send your browser to
https://suspekt.org without IE warning you that the certificate was not
issued onto that server.

This is not a MIM but it has the same effect: IE will tell you a page is
secure although the certificate is illegal and its possible for a third
party (anyone who owns the given certificate) to decrypt your traffic in
realtime.


Vendor Response:

26 November 2001 - Microsoft was informed about this vulnerability
27 November 2001 - Proof of concept page got visited by lots of MS IPs
01 December 2001 - Microsoft informed us with a standard reply that
they have received the advisory
12 December 2001 - Microsoft was informed that we were going to release
the advisory within the next 3 days
13 December 2001 - Microsoft asked us to wait because the issue is
complex due to the fact a lot of cryptography
is involved
21 December 2001 - Microsoft sent an update: no patches yet,
still a complex issue


Conclusion:

Until today Microsoft did not release a patch, they had nearly a month
time to fix the bug. Instead they call it a very complex issue. Because
I don't know the source code of the Internet Explorer I cannot check the
validity of these claims, but from my point of view fixing this missing
check is just a matter of copy and pasting a few lines. Unfortunately it
is christmas time and especially during the last month millions of cus-
tomers where buying christmas presents on the internet all around the
world. That means millions of customers were shopping with insuffient
protection of their private data. Because there are no patches out yet,
I strongly recommend that you use Mozilla, Opera or another non MS brow-
ser to do your internet banking or shopping these days. If you think
(for whatever strange reason) that you need the Internet Explorer,
ensure that the certificate is the correct by comparing the servername
in the certificate with the one in your browser...


Updated Information:

Today (25th December) we found out that this vulnerability was reported
to Microsoft already 2 years ago by ACROS. At that time (or better half
a year later) Microsoft released the patches for this vulnerability
fixing the bug within IE 4.0 and the early versions of IE 5.0.
The Microsoft Security Bulletin (MS00-039) clearly states that IE5.01SP1
and IE 5.5 are not vulnerable. That means, that one of the "security
patches" that Microsoft released since that date reimplemented the bug
and made all IEs vulnerable again.


GPG-Key:

http://security.e-matters.de/gpg_key.asc

pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6

Copyright 2001 Stefan Esser. All rights reserved.



© Hardened PHP Project