bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [ MDVSA-2009:206 ] wget


From: Micah Cowan
Subject: Re: [Bug-wget] [ MDVSA-2009:206 ] wget
Date: Fri, 21 Aug 2009 17:51:12 -0700
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Daniel Stenberg wrote:
> Hey
> 
> I just spotted this:
> 
> http://article.gmane.org/gmane.linux.mandrake.security.announce/2077
> 
> ... which refers to the CVE number for the NSS flaw in the same style
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408) but I was
> still a bit surprised since I've not seen any public patch posts here.
> Or did I miss that? What did the Mandriva guys apply? I couldn't find
> their patch.

The CVE link 404s for me. Is it the NUL character issue?

That was fixed in the mainline development repository with changeset
2d8c76a23e7d; I made some modifications to it in a follow-up changeset
f2d2ca32fd1b. I've attached a diff that combines them both.

(The exploit addressed by this fix is described at
https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike)

-- 
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer.
Maintainer of GNU Wget and GNU Teseq
http://micah.cowan.name/
diff -r 606f9637368b src/ChangeLog
--- a/src/ChangeLog     Mon Aug 17 20:47:05 2009 -0700
+++ b/src/ChangeLog     Fri Aug 21 17:44:24 2009 -0700
@@ -1,3 +1,14 @@
+2009-08-19  Micah Cowan  <address@hidden>
+
+       * openssl.c (ssl_check_certificate): Only warn about an attack if
+       the hostname would otherwise have matched. Also some formatting
+       cleanup.
+
+2009-08-19  Joao Ferreira  <address@hidden>
+
+       * openssl.c (ssl_check_certificate): Detect embedded NUL
+       characters in the SSL certificate common name.
+
 2009-08-17  Tony Lewis  <address@hidden>
 
        * http.c (gethttp): Ensure that we parse Content-Length before we
diff -r 606f9637368b src/openssl.c
--- a/src/openssl.c     Mon Aug 17 20:47:05 2009 -0700
+++ b/src/openssl.c     Fri Aug 21 17:44:24 2009 -0700
@@ -569,9 +569,11 @@
      - Ensure that ASN1 strings from the certificate are encoded as
        UTF-8 which can be meaningfully compared to HOST.  */
 
+  X509_NAME *xname = X509_get_subject_name(cert);
   common_name[0] = '\0';
-  X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
-                             NID_commonName, common_name, sizeof 
(common_name));
+  X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
+                             sizeof (common_name));
+
   if (!pattern_match (common_name, host))
     {
       logprintf (LOG_NOTQUIET, _("\
@@ -579,6 +581,41 @@
                  severity, quote (common_name), quote (host));
       success = false;
     }
+  else
+    {
+      /* We now determine the length of the ASN1 string. If it differs from
+       * common_name's length, then there is a \0 before the string terminates.
+       * This can be an instance of a null-prefix attack.
+       *
+       * 
https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
+       * */
+
+      int i = -1, j;
+      X509_NAME_ENTRY *xentry;
+      ASN1_STRING *sdata;
+
+      if (xname) {
+        for (;;)
+          {
+            j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
+            if (j == -1) break;
+            i = j;
+          }
+      }
+
+      xentry = X509_NAME_get_entry(xname,i);
+      sdata = X509_NAME_ENTRY_get_data(xentry);
+      if (strlen (common_name) != ASN1_STRING_length (sdata)) 
+        {
+          logprintf (LOG_NOTQUIET, _("\
+%s: certificate common name is invalid (contains a NUL character).\n\
+This may be an indication that the host is not who it claims to be\n\
+(that is, it is not the real %s).\n"),
+                     severity, quote (host));
+          success = false;
+        }
+    }
+  
 
   if (success)
     DEBUGP (("X509 certificate successfully verified and matches host %s\n",

reply via email to

[Prev in Thread] Current Thread [Next in Thread]