RE: Can you impersonate a client side cert??

[pmawson () deloitte co nz]

Have a look at this article.

 Phrack #57 - Hang on, Snoopy (by stealth)
   http://www.phrack.org/show.php?p=57&a=13

Here in lies the answer to your question.

Phill

-----Original Message-----
From: Bryan Allerdice [mailto:bryan_allerdice () yahoo com]
Sent: Tuesday, 29 January 2002 9:49 a.m.
To: pen-test () securityfocus com
Cc: Darren Craig
Subject: RE: Can you impersonate a client side cert??


This post attracted my attention because a company I used to work for a few
years ago used personal certs as to limit access to administrative pages.

In that implementation, the website (IIS 5.0) was configured to restrict
access to the admin pages by personal cert, then they used some ASP to look
at certain certificate characteristics, including the CN or Common Name
property.

In an attempt to test the security of the admin pages, I trawled through the
website looking for staff email addresses, issued myself a cert, and gave it
valid CN and other properties. I tried connecting to the admin pages, and a
window popped up asking me for my personal cert, but the cert list was
empty. It turned out for some reason that only certs issued by trusted
certificate authorities would appear in my list.

So, I looked for a trusted cert authority that I could use to generate a
certificate with the right properties. It has been a while now, so I can't
remember who I used, but I did find one provider that would let me specify a
common name in such a way that it appeared to be a Thawte certificate.
Unfortunately, part of the sign up procedure was specifying your email
address. If I gave the email address of a valid employee, THEY would receive
the email containing the certificate. That would mean I would need to steal
their mail. Break in, send them an email with a trojan that would grab the
mail for me, whatever.

So I stopped at this point. I had done enough to prove that there was a
chance, a small chance, that someone could generate a certificate that would
trick our system. It would require someone to be able to grab someone's
mail, but we all know about a billion stupid viruses that can do that. An
employee of a certification authority would have an easy time doing it.

Now.... does this mean that all applications that use personal certs as a
"key" are vulnerable? No. In this instance, certain parts of a cert were
being looked at by some ASP, and that really wasn't enough to guarantee that
the cert offered by the client was the real thing. Before I could suggest an
better solution, we totally changed our admin access method, and certs
didn't play a part.

Anyway, I haven't dealt with certs very much since then, so I don't know
what other ways people use them, check their validity, etc. Perhaps the more
experienced people in this list can through their two cents worth in.

BRYAN

-----Original Message-----
From: Darren Craig [mailto:darren.craig () celare co uk]
Sent: Monday, January 28, 2002 8:00 AM
To: pen-test () securityfocus com
Subject: Can you impersonate a client side cert??


Hi All,


I have been reading a paper which was published back in Feb 2001 by a
company call Sensepost which says that there is a way to impersonate a users
client side cert by using the same common name. Does anybody have any
experience of doing this or is it even possible considering that the users
public part of the cert would be installed on the web server?

Darren


******************************************************************
Privileged, confidential and/or copyright information may
be contained in this e-mail. This e-mail is for the use only
of the intended addressee. If you are not the intended
addressee, or the person responsible for delivering it to
the intended addressee, you may not copy, forward,
disclose or otherwise use it or any part of it in any way
whatsoever, to do so is prohibited and may be unlawful.

If you receive this e-mail by mistake please advise the
sender immediately by using the reply facility in your
e-mail software. Celare Limited may monitor the content
of e-mails sent and received via its network for the purposes
of ensuring compliance with its policies and procedures.

This message is subject to and does not create or vary
any contractual relationship between Celare Limited
and you.

Thank you.
******************************************************************


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

************************************************************
CAUTION:  This e-mail and any attachment(s) contains
information that is both confidential and possibly legally
privileged.  No reader may make any use of its content
unless that use is approved by Deloitte separately in writing.
Any opinion, advice or information contained in this e-mail
and any attachment(s) is to be treated as interim and
provisional only and for the strictly limited purpose of the
recipient as communicated to us.  Neither the recipient nor
any other person should act upon it without our separate
written authorisation of reliance.
If you have received this message in error please notify us
immediately and destroy this message.  Thank you.
Deloitte Touche Tohmatsu
Internet: www.deloitte.co.nz
************************************************************ 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/