[NT] Internet Explore HTTPS Certificate Attack

From: support@securiteam.com
Date: 12/24/01

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 24 Dec 2001 18:07:21 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Internet Explore HTTPS Certificate Attack


A flaw in Microsoft Internet Explorer allows an attacker to perform a SSL
Man-In-The-Middle attack without the majority of users recognizing it. In
fact, the only way to detect the attack is to manually compare the server
name with the name stored in the certificate.


There is a flaw in the way Internet Explorer checks HTTPS objects that are
embedded into normal HTTP pages. According to tests conducted, Internet
Explorer does only check if the certificate of the HTTPS server is
properly signed by a trusted CA but totally ignores if the certificate was
issued onto the correct name or has already expired.

This is in fact not dangerous because the user considers HTTPS objects
embedded in a HTTP page not secure. The problem is that Internet Explorer
flags the certificate as trusted and caches this certification trust until
your browser session ends. That means once you visited a normal http page
that included an image from the MIMed SSL Server (For more information on
MIM SSL, see: <http://www.phrack.org/show.php?p=57&a=13>
http://www.phrack.org/show.php?p=57&a=13), Internet Explorer will not warn
you about an illegal site certificate as long the certificate was signed
by for example Verisign.

A possible scenario would be:
Hacker runs a MIM attacking tool for HTTP/HTTPS in the subnet of your
site. The HTTP part of the tool auto appends

<img src="https://www.example.com/nonexistent.gif" width=1 height=1>

To any html page that is returned to your customer's browser and the HTTPS
part presents his browser a valid but stolen certificate for www.shop.com.
Internet Explorer will only check if the cert was signed by a trusted CA
when trying to display the image and won't compare the name inside the
cert or check the expiration date. If your customer now tries to login to
your site via HTTPS Internet Explorer will consider the cert trustworthy
without checking it again. Your customer will only be able to determine
that he was just tricked by manually checking the servername in the cert.
However, you can be sure that only paranoid people would check. The
majority of people don't even know how they can do so. Imagine the hacker
stole the cert from "yoursite.de". How many users of "yoursite.com" would
not trust a cert that was issued on "yoursite.de". The average user does
not know anything about SSL than it's making his payment "secure".

Proof of Concept:
A proof of concept webpage is made available at <http://suspekt.org>
http://suspekt.org. Clicking onto the "To the secure page..." link will
send your browser to https://suspekt.org without IE warning you that the
certificate was not issued onto that server. This is not a MIM but it has
the same effect: Internet Explorer will tell you a page is secure although
the certificate is illegal and its possible for a third party (anyone who
owns the given certificate) to decrypt your traffic in realtime.
Vendor Response:
26 November 2001 Microsoft was informed about this vulnerability
27 November 2001 Proof of concept page was visited by lots of MS IPs
01 December 2001 Microsoft informed us with a standard reply that they
have received the advisory
12 December 2001 Microsoft was informed that an advisory was going to be
released within the next 3 days
13 December 2001 Microsoft asked to wait because the issue is complex due
to the fact, a lot of cryptography is involved
21 December 2001 Microsoft sent an update: no patches yet, still a complex


The information has been provided by <mailto:security@e-matters.de>
Stefan Esser.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.