Vulnerability Development mailing list archives
x509 cert parsing in web browsers
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Sun, 8 Sep 2002 15:46:23 -0400 (EDT)
Hello, While playing with the way SSL-enabled web browsers handle x509 certificates, I found several odd things - none of which is related to the recent issues with forging certs for MSIE, but related to the problems OpenSSL had recently. Due to some unrelated circumstances, I have very limited resources and no time to look at it any further, so I'm submitting my observations here, perhaps some readers would like to have a closer look. I don't think this is worth sitting on till I have more time, so I decided I'd just post it here. Web browsers handle several MIME types such as application/x-x509-ca-cert and application/x-pcks7-crl, trying to parse and display the information to the user - and this is where things can go wrong. The certificate format is built around ASN.1 and uses arbitrarily imposed length limitations on bounded strings that describe the certificate. Quite obviously, this is asking for problems, many implementators may assume this is the absolute maximum and may be not prepared to handle any more. After a ten minute test, it turned out that most of mainstream browsers failed miserably at some point, at minimum allowing DoS because of resource starvation because of apparent parser bugs (Opera), or simply crashing (Netscape, Mozilla). I did not have enough time to investigate all issues in detail - for curious readers, it's probably worth looking at - all it takes is a modified version of OpenSSL with string limits removed (edit asn1.h, a_strnid.c, res.c and you should be all set), and any fuzz tool to alter the file layout. What turned out to be particularly interesting is that Microsoft Internet Explorer up to 6.0.2600.0000 tends to crash when trying to display details of a certificate that has excessively long description. What's funny is that the problem occurs only under certain versions of the Microsoft Windows (for example, 98), but not under 2000 or XP with service patches. I don't have too many details, because I do not have a physical access to systems reported as vulnerable. I have no data from NT 4.0, but it's probably worth looking at. Here's an example certificate: http://lcamtuf.coredump.cx/test.crt.gz (In order to test it, you have to uncompress the file and register .crt as application/x-x509-ca-cert with your web server. The same file should also cause problems with Opera entering an endless memory allocation loop). It does not seem affect older MSIE versions, such as 4.72.3110.4. I can be wrong, but I don't think I've seen any hotfix that would be related to this problem directly. Was it silently fixed by one of the fixes for other ASN.1 / SSL problems? The other example I have is http://lcamtuf.coredump.cx/test2.crt, which can be used directly and causes something that appears to be a non-exploitable segfault in newer Netscape, probably also in Mozilla. Note: It would be also nice to look at certificate revocation files (crl), as they are often imported without prompting the user. Generally speaking, it seems that SSL clients are at least as broken as OpenSSL used to be. -- Michal Zalewski - Wenn ist das Nunstruck git und Slotermeyer? - Ja! ... Beiherhund das Oder die Flipperwaldt gersput.
Current thread:
- x509 cert parsing in web browsers Michal Zalewski (Sep 08)
- <Possible follow-ups>
- x509 cert parsing in web browsers Administrator Serwera TEK-ART (Sep 08)
- Re: x509 cert parsing in web browsers Fernando J. Pando (Sep 09)
- Re: x509 cert parsing in web browsers Peter Gutmann (Sep 08)
- Re: x509 cert parsing in web browsers Valdis . Kletnieks (Sep 09)