Ubuntu
mozilla package

  1. Bug #7076
  2. Comment #6

Comment 6 for bug 7076

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 04 Jul 2004 12:11:31 +0200
From: marcel boesch <email address hidden>
To: <email address hidden>
CC: marcel boesch <email address hidden>
Subject: Overriding built-in certificate leading to error -8182 (DoS), especially
 exploitable by email

Package: Mozilla
Version: 1.6, 1.7

Description of problem:

/*(see https://banquo.inf.ethz.ch:8080/ for a close description)*/
/*Mozilla.org has been informed and a bug has been filed*/

Importing a self-made certificate (call it x) with the same DN as a
built-in CA root cert (called b) overrides the built-in one:
trying to open a SSL page protected by a cert signed by b throws an
error -8182 ('certificate presented by xyz.com is invalid or corrupt')
-> Denial of Service.

This could be automated when importing x via mime type
application/x-x509-email-cert, causing Mozilla to import the cert
silently (bug Nr. 2).
This is also possible via email messages, calling the cert x link
inside an <iframe> tag, leading to a silent import of x when opening
or previewing the message (bug Nr. 3).

Conclusion: fully automatical DoS of the entire cert store via email
is possible, no user interaction needed.

How reproducible:
always. Tested with Mozilla 1.6 and 1.7
Mozilla 1.0.2 is NOT vulnerable.

Steps to Reproduce:
1. craft a self-signed cert (openssl) with the same DN as a built-in
CA root cert.
2. import it into the cert store, either manually or by providing it
as pem
encoded using the mime content type application/x-x509-email-cert for
_silent
import_.
3. Your certificate store is "corrupted" from this time on: open a web
site
protected by an SSL certificate signed by the root CA cert you've been
forging and you'll get an error -8182.

4. The same could be reached via email when including an <ifram>
pointing to the
certs' location, leading to fully automatical silent import of the cert.

Actual Results:
Mozilla imports the "forged" root cert into the "authorities" tab of
the cert
manager as an untrusted root. You can identify it by the column "security
device": its stored in the "software security device" instead of the
"Builtin
Object Token". However your certificate store is "corrupted" from this
time on:
open a web site protected by an SSL certificate signed by the root CA cert
you've been forging and you'll get an error -8182.

Expected Results:
Mozilla silently (without any warning/message!) imports the root cert
into the
"authorities" tab of the cert manager as an untrusted root when
serving it as
type application/x-x509-email-cert. According to the principles
Visibility and
Clarity for 'safe and secure CA-related UI-Dialogs' proposed in
chapter 4.2. of
my diploma thesis, instead of no user-feedback, an adequate treatment
of this
situation would be to show the import dialogue.

During my diploma thesis on Rogue CA's possibilities, one part of the
work was to evaluate today's browsing software.

Contact me: This bug was found as part of my diploma thesis which is
still going on. If you have any suggestions or ideas, contact me at
<email address hidden> <mailto:<email address hidden>> (PGP Key:
0x0AA132A7141D27C8