RE: Can you impersonate a client side cert??
From: Ed Moyle (emoyle@scsnet.csc.com)Date: 01/29/02
- Previous message: christophe gueguen: "question about fuxay scanner"
- Maybe in reply to: Darren Craig: "Can you impersonate a client side cert??"
- Next in thread: Cushing, David: "RE: Can you impersonate a client side cert??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Jan 2002 09:22:55 -0500 From: Ed Moyle <emoyle@scsnet.csc.com> To: pmawson@deloitte.co.nz, pen-test@securityfocus.com
On Monday, January 28, 2002 17:32 pmawson@deloitte.co.nz wrote:
> Phrack #57 - Hang on, Snoopy (by stealth)
> http://www.phrack.org/show.php?p=57&a=13
> Here in lies the answer to your question.
It should be noted that this article *only applies* to CAs that are unknown to the browser and is focused primarily on server certs used for SSL. With respect to client-side certs, the web server will only trust certs issued by a known, valid CA. In most applications, servers only trust certs issued by a particular CA (perhaps a local CA) and not the universe of possible commercial CA's that are available by default in the web server (since commercial CAs typically have pretty week auth criteria - Verisign, for example lets you get one for "test purposes" using just your email address.) So, using a spurious CA that you control is (usually) out of the question.
If you can get a *trusted* CA to issue you a cert with a CN that you can control (this is not always easy to do,) the only way you can impersonate is if the application uses custom-written software that checks only the CN and not any other information on the cert. This is not a common practice for exactly the reason that is being discussed. Many times the SN is used, which is unique per CA.
Some resources regarding mapping a cert to a user in particular environments:
Microsoft has an article on how this is set up w/ IIS. Check out: http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp
IBM has a similar article for websphere:
http://www-4.ibm.com/software/webservers/appserv/doc/v35/ae/infocenter/was/050505.html
Note that in both cases, doing a mapping based on CN where *more than one CA is trusted* and/or *uniqueness of CN is not enforced* is incredibly dangerous and hence is typicaly avoided... At the very least, DN should be used.
Just my $.02...
-E
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: christophe gueguen: "question about fuxay scanner"
- Maybe in reply to: Darren Craig: "Can you impersonate a client side cert??"
- Next in thread: Cushing, David: "RE: Can you impersonate a client side cert??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
