heybuddy

heybuddy bypasses certificate checking when verifying credentials

Bug #798300 reported by Evgeni Golov
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
heybuddy
Fix Released
Critical
jezra

Bug Description

Inspired by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608724 and https://bugs.launchpad.net/gwibber/+bug/705363 I tried the same in heybuddy (0.2.1).

1. Start heybuddy
2. Provide some invented username and password and "badcert.dorei.kerker.die-welt.net/notstatusnet" as Service (there is no StatusNet instance on that host, just my local apache with a self-signed cert)
3. Submit
4. Watch heybuddy connecting and failing "Service Not Found" (as said, there is no StatusNet instance)

Look in the logfile of my apache:
my.ip.addr.ess - - [16/Jun/2011:17:53:43 +0200] "GET /notstatusnet/api/account/verify_credentials.xml HTTP/1.1" 404 1691 "-" "Python-urllib/2.6"

The requests comes from Communicator.verify_credentials():
                authheader = self.get_auth_string(name, password)
                request = urllib2.Request(url)
                request.add_header("Authorization", authheader)
et voila, my password would have been sent to someone who could hijack my connection/dns/whatever.

Python's urllib is sadly not the best thing to handle that stuff :(

Revision history for this message
jezra (jezra) wrote :

Thanks for bringing this to my attention. I have a feeling this is going to be a difficult fix for the Maemo version.

Changed in heybuddy:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → jezra (jezra)
Revision history for this message
Evgeni Golov (evgeni) wrote :

I have a fix handy using httplib2. It has two issues though:
 1. needs httplib2 (obviously)
 2. has a hard-coded path to a certificates file on my Debian system (will work on Ubuntu too, no idea about anything else)

See the attached patch.
I can push it to bzr if you don't mind disclosing this issue to the public.

Revision history for this message
jezra (jezra) wrote :

Thanks for the patch. I'm hoping to find a fix that doesn't require a 3rd party python module. However, When I get home, I'll run some tests of the SSL module and, if I can't get that to work satisfactorily, I'll be implementing your patch.

visibility: private → public
Revision history for this message
Evgeni Golov (evgeni) wrote :

have a look at http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python/3551700#3551700 then
code works (I tried), point 2 of my previous post applies though :(

Revision history for this message
jezra (jezra) wrote :

Would it be alright with you if I used 'badcert.dorei.kerker.die-welt.net/notstatusnet' to test some code?

Revision history for this message
Evgeni Golov (evgeni) wrote :

sure you can, the machine should stand your "DoS" just fine ;)
you also can install a local apache and enable the ssl-snakeoil cert in it :)

jezra (jezra)
Changed in heybuddy:
status: Confirmed → Fix Committed
Revision history for this message
Evgeni Golov (evgeni) wrote : Re: [Bug 798300] Re: heybuddy bypasses certificate checking when verifying credentials

On 06/17/2011 08:11 PM, jezra wrote:
> ** Changed in: heybuddy
> Status: Confirmed => Fix Committed

Thanks!
Stuff from stackoverflow seems to be CC-SA licensed, you should add
proper information to the new created file :)
And while at it, the source looks strangely indented on some lines, like
here:
http://bazaar.launchpad.net/~jezra/heybuddy/trunk/view/head:/CertificateValidatingHTTPSHandler.py#L62

regards
Evgeni

jezra (jezra)
Changed in heybuddy:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.