In mission-critical application the dangerous code is found

Posted: October 25, 2012 in IT Security News, Security Notices, Vulnerability News
Tags: , , , , , ,

Vulnerability

SSL certificates verification

It appears, not only developers of Android-applications sin with illiterate introduction of SSL, but similar mistakes are present at programs of the leading software companies, including Amazon and Paypal.

Illiterate procedure of verification of SSL certificates is found out in mission-critical application, SDK, Java middleware, bank software etc. that opens before malefactors of possibility for MiTM-attack — anything worse than it and it is impossible to present, researchers from Stenfordsky and Texas universities which published scientific work “The most dangerous code in the world consider: verification of SSL certificates out of the browser”. That fact is worthy mentions that the group of the American scientists worked under the direction of the candidate of science of the Texas university Vitaly Shmatikov.

So, researchers found incorrect procedure of SSL validation in a number of very serious programs:

– Java-library and all the Amazon EC2 cloud customers based on it;

– SDK Amazon and SDK Paypal, which are responsible for transmission of payment data from the trading floor to the payment Gheit;

– Engines online stores osCommerce, ZenCart, Ubercart and PrestaShop;

– Code AdMob in mobile websites;

– Chase Bank’s mobile app, and some other applications and libraries for Android;

– Java middleware for Web services, including Apache Axis, Axis 2, Codehaus XFire and library Pusher for Android, as well as all applications that use the listed middleware.

As an example of carelessness can result in the snippet of code banking application Chase.

public final void checkServerTrusted (X509Certificate []
paramArrayOfX509Certificate, String paramString)
{
if ((paramArrayOfX509Certificate! = null) && (
paramArrayOfX509Certificate.length == 1))
paramArrayOfX509Certificate [0]. checkValidity ();
while (true)
{
return;
this.a.checkServerTrusted (
paramArrayOfX509Certificate, paramString);
}
}

Any SSL connection established by each of listed programs, isn’t safe. The key problem lies not so much in low qualification of developers, how many in bad design of program interfaces for SSL realization (such as JSSE, OpenSSL and GnuTLS) and libraries for data transmission (such as cURL). These API and libraries are difficult for the ordinary programmer, offering it too confused set of settings and options.

Any SSL connection established by each of listed programs, isn’t safe. The key problem lies not so much in low qualification of developers, how many in bad design of program interfaces for SSL realization (such as JSSE, OpenSSL and GnuTLS) and libraries for data transmission (such as cURL). These API and libraries are difficult for the ordinary programmer, offering it too confused set of settings and options.

For example, in cURL there are some parameters for CURL_SSL_VERIFYHOST:

  • The VERIFYHOST=0 parameter is intuitively clear: it disconnects verification of the certificate.
  • The VERIFYHOST=2 parameter carries out correct check and verifies the name of a host specified in the certificate, with a name of a host which shows the certificate.
  • And here параметрVERIFYHOST=1 (VERIFYHOST=TRUE) does something very strange: it checks that the certificate belongs to any host, and then accepts it from any host.

It is clear that many programmers didn’t expect from cURL of such “setup”. By the way, the developer of cURL Deniyel Stenberg already expressed yesterday about it. To it after 10 + years of work on cURL very disappointingly to hear similar charges as for all these years anybody never suggested to change parameters for CURL_SSL_VERIFYHOST.

By results of the situation analysis with SSL realization in various appendices Shmatikov with colleagues developed a number of recommendations, including they recommend to use the special software for check of a correctness of a program code and a pentesting: for example, TLSPretense program. There is also accurate instruction how to realize verification of SSL certificates by means of OpenSSL and a repository of examples of the correct SSL Conservatory code.

Related links:

https://malwarelist.net/2012/09/08/hypertext-transfer-protocol-secure-https/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s