Real World Exploit for Bleichenbachers Attack on SSL from Crypto'06 working

Erik Tews e_tews at cdc.informatik.tu-darmstadt.de
Fri Sep 15 13:29:39 EDT 2006


Am Freitag, den 15.09.2006, 00:40 +0200 schrieb Erik Tews:
> I have to check some legal aspects before publishing the names of the
> browser which accepted this certificate and the name of the
> ca-certificates with exponent 3 I used in some hours, if nobody tells me
> not to do that. Depending on the advice I get, I will release the
> sourcecode of the exploit too.

OK, so here are the names of the browsers I tried:

      * Mozilla Firefox Version 1.5.0.6 and all previous versions
        including all old versions like netscape 4 seem to be affected.
        They don't display any kind of warning message at all, nor has
        the user the possibility to see something if he looks at the ssl
        connection properties. Firefox 1.5.0.7 was released yesterday
        and contains a fix. Netscape is not longer supported and
        netscape phoned me and suggested switching to another browser
        like seamonkey.
      * Opera 9.01 is affected. Opera is going to release 9.02 very very
        soon which will contain a bugfix. Opera users are automatically
        notified once a week when a new version is available.
      * Konqueror from the kde project uses openssl for ssl-connections.
        They are affected, but after having patched openssl, konqueror
        is fixed too.

The following certs could be used in the attack:

Starfieldtech has issued the following certificate:

Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Cla ss 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@ valicert.com
Subject: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc.,  OU=http://www.starfieldtech.com/repository, CN=Starfield Secure Certification A uthority/emailAddress=practices at starfieldtech.com
X509v3 Basic Constraints: CA:TRUE
Serial Number: 260 (0x104)
RSA Public Key: (1024 bit)
Exponent: 3 (0x3)

This can be used to create an CA certificate which seems to be signed by Starfieldtech

There is another certificate by default in a lot of browsers:

Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
RSA Public Key: (1024 bit)
Exponent: 3 (0x3)
X509v3 Basic Constraints: CA:TRUE
Serial Number: 927650371 (0x374ad243)

This one can be used too.

Depending on the browser you use, there are some other certificates.
Here is a list of all Subject DN of all CA certs we have found so far,
which seems to be affected:

  * C=US, O=Digital Signature Trust Co., OU=DSTCA E1
      * C=US, O=Digital Signature Trust Co., OU=DSTCA E2
      * C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS
        incorp. by ref. limits liab., OU=(c) 1999 Entrust.net Limited,
        CN=Entrust.net Client Certification Authority
      * C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref.
        (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net
        Secure Server Certification Authority
      * C=EU, O=AC Camerfirma SA CIF A82743287,
        OU=http://www.chambersign.org, CN=Chambers of Commerce Root
      * C=EU, O=AC Camerfirma SA CIF A82743287,
        OU=http://www.chambersign.org, CN=Global Chambersign Root
      * C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
        Certification Authority
      * C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2
        Certification Authority

I decided to keep the actual implementation of the exploit secret for the moment.

We put up a little webpage summarizing some postings related to the
attack. This is written primary for end users who want to secure their
browsers, but contains links to some intresting mailing list posts too.

http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060915/fe582016/attachment.pgp>


More information about the cryptography mailing list