checkbox fails to verify ssl validity in data exchange with launchpad.net

Bug #625076 reported by dave b.
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Checkbox
Fix Released
High
Marc Tardif
checkbox (Ubuntu)
Fix Released
High
Marc Tardif
Maverick
Won't Fix
High
Marc Tardif

Bug Description

Binary package hint: checkbox

Checkbox collects personal and private system data and sends it to launchpad.net. However, it fails to verify that the ssl certificate for launchpad.net is valid.

Here is the relevant code.
plugins/launchpad_exchange.py uses HTTPTransport from checkbox/lib/transport.py, which uses
httplib.HTTPSConnection by default. This is not secure as per the documentation at http://docs.python.org/library/httplib.html#httplib.HTTPSConnection

However, If the user is using a https proxy(really unlikely), then the code (connection = ProxyHTTPSConnection(host, port)) will use the ProxyHTTPSConnection connection which does ->

class ProxyHTTPSConnection(ProxyHTTPConnection):

    default_port = httplib.HTTPS_PORT

    def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None):
        ProxyHTTPConnection.__init__(self, host, port)
        self.key_file = key_file
        self.cert_file = cert_file

    def connect(self):
        ProxyHTTPConnection.connect(self)
        self.sock = _ssl_wrap_socket(self.sock, self.key_file, self.cert_file)

So it would use _ssl_wrap_socket

which is defined at the top as

# Build the appropriate socket wrapper for ssl
try:
    # Python 2.6 introduced a better ssl package
    import ssl
    _ssl_wrap_socket = ssl.wrap_socket
except ImportError:
    # Python versions prior to 2.6 don't have ssl and ssl.wrap_socket instead
    # they use httplib.FakeSocket
    def _ssl_wrap_socket(sock, key_file, cert_file):
        ssl_sock = socket.ssl(sock, key_file, cert_file)
        return httplib.FakeSocket(sock, ssl_sock)

However, as the code has connection = ProxyHTTPSConnection(host, port) --> when it is going to use the ProxyHTTPSConnection class, the certificate information will be None here and therefore this code (from what I see) will not make the data transfer between checkbox and launchpad.net secure via the https proxy.

You can test this out by editing /etc/hosts and pointing launchpad.net to another ip (which has an https server running) and viewing the data exchange in wireshark.

Related branches

dave b. (d+b)
security vulnerability: yes → no
visibility: private → public
security vulnerability: no → yes
Kees Cook (kees)
Changed in checkbox (Ubuntu):
milestone: none → ubuntu-10.10-beta
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Steve Beattie (sbeattie) wrote :

Marc, can you look at this issue? Thanks.

Changed in checkbox (Ubuntu Maverick):
assignee: nobody → Marc Tardif (cr3)
Changed in checkbox (Ubuntu Maverick):
milestone: ubuntu-10.10-beta → ubuntu-10.10
Revision history for this message
Marc Tardif (cr3) wrote :

I have linked a branch to this bug which attempts to fix the problem and requested a merge proposal to be reviewed by Kees, just to make sure the problem is being addressed securely.

Changed in checkbox (Ubuntu Maverick):
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package checkbox - 0.10.3

---------------
checkbox (0.10.3) maverick; urgency=low

  New upstream release (LP: #638333):
  * Fixed verification of SSL validity (LP: #625076)
  * Improved audio test questions.
 -- Marc Tardif <email address hidden> Tue, 14 Sep 2010 12:43:51 -0400

Changed in checkbox (Ubuntu Maverick):
status: In Progress → Fix Released
Revision history for this message
dave b. (d+b) wrote :

You know what, this bug isn't fixed. You clearly didn't test it.
As per http://bugs.python.org/issue1589 you are vulnerable. Test it your self using the test I put above again... all that is different is that now don't follow the redirect to a http:// location from what i can see.

So your application is still vulnerable, as long as I have a certificate signed by ca in the ca store, I can MITM checkbox.

Please test your patches before saying they fix things and EVEN better add a test to check it has been fixed.

Please let me know if I am wrong :)

Revision history for this message
dave b. (d+b) wrote :

XXX - - [29/Sep/2010:22:31:30 +1000] "POST https://launchpad.net/+hwdb/+submit HTTP/1.1" 404 4 "https://launchpad.net/+hwdb/+submit" "checkbox-gtk/0.9.1"
to my host for example ;)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Reopening bug as per last comment. Checkbox must also validate that the hostname matches the certificate. Please see example code in the following places:

http://bugs.python.org/issue1589
http://mercurial.selenic.com/bts/issue2407

Changed in checkbox (Ubuntu):
status: Fix Released → Confirmed
Changed in checkbox (Ubuntu Maverick):
status: Fix Released → Confirmed
Changed in checkbox (Ubuntu Maverick):
milestone: ubuntu-10.10 → maverick-updates
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Marc Tardif, what is the status of this bug?

Revision history for this message
Ara Pulido (ara) wrote :

We will have a look to this one during next week sprint

Changed in checkbox:
assignee: nobody → Canonical Hardware Certification (canonical-hw-cert)
importance: Undecided → High
milestone: none → 0.12.5
status: New → Triaged
Ara Pulido (ara)
Changed in checkbox:
milestone: 0.12.5 → 0.12.6
Marc Tardif (cr3)
Changed in checkbox:
status: Triaged → In Progress
assignee: Canonical Hardware Certification (canonical-hw-cert) → Marc Tardif (cr3)
Marc Tardif (cr3)
Changed in checkbox:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package checkbox - 0.12.7

---------------
checkbox (0.12.7) oneiric; urgency=low

  New upstream release (LP: #850395):

  [Brendan Donegan]
  * Redirecting stderr to pipe to fix the gconf_resource script (LP: #832321)
  * Clear jobs directory when user selects No to recover question (LP: #836623)

  [Daniel Manrique]
  * checkbox/job.py: Guard against bogus timeout values (LP: #827859)
  * More explicit handling of string decoding/encoding, avoids problems with
    non-ascii characters (LP: #833747)
  * Changed architecture from all to any for checkbox base, to build
    architecture-specific binaries (LP: #833696)

  [Jeff Lane]
  * Several corrections necessary due to test name changes or typos found in
    job files

  [Marc Tardif]
  * Connecting hyper text widgets only once (LP: #827904)
  * Detecting MMC readers as OTHER instead of DISK (LP: #822948)
  * Validating the hostname in the SSL certificate (LP: #625076)
  * Validating the submission.xml (LP: #838123)
 -- Daniel Manrique <email address hidden> Fri, 14 Sep 2011 17:15:26 -0400

Changed in checkbox (Ubuntu):
status: Confirmed → Fix Released
Marc Tardif (cr3)
Changed in checkbox:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in checkbox (Ubuntu Maverick):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.