x509 cert parsing in web browsers

[Michal Zalewski <lcamtuf () dione ids pl>]

Hello,

While playing with the way SSL-enabled web browsers handle x509
certificates, I found several odd things - none of which is related to the
recent issues with forging certs for MSIE, but related to the problems
OpenSSL had recently.

Due to some unrelated circumstances, I have very limited resources and no
time to look at it any further, so I'm submitting my observations here,
perhaps some readers would like to have a closer look. I don't think this
is worth sitting on till I have more time, so I decided I'd just post it
here.

Web browsers handle several MIME types such as application/x-x509-ca-cert
and application/x-pcks7-crl, trying to parse and display the information
to the user - and this is where things can go wrong. The certificate
format is built around ASN.1 and uses arbitrarily imposed length
limitations on bounded strings that describe the certificate. Quite
obviously, this is asking for problems, many implementators may assume
this is the absolute maximum and may be not prepared to handle any more.

After a ten minute test, it turned out that most of mainstream browsers
failed miserably at some point, at minimum allowing DoS because of
resource starvation because of apparent parser bugs (Opera), or simply
crashing (Netscape, Mozilla). I did not have enough time to investigate
all issues in detail - for curious readers, it's probably worth looking at
- all it takes is a modified version of OpenSSL with string limits removed
(edit asn1.h, a_strnid.c, res.c and you should be all set), and any fuzz
tool to alter the file layout.

What turned out to be particularly interesting is that Microsoft Internet
Explorer up to 6.0.2600.0000 tends to crash when trying to display details
of a certificate that has excessively long description. What's funny is
that the problem occurs only under certain versions of the Microsoft
Windows (for example, 98), but not under 2000 or XP with service patches.
I don't have too many details, because I do not have a physical access to
systems reported as vulnerable. I have no data from NT 4.0, but it's
probably worth looking at. Here's an example certificate:

  http://lcamtuf.coredump.cx/test.crt.gz

  (In order to test it, you have to uncompress the file and register .crt
  as application/x-x509-ca-cert with your web server. The same file should
  also cause problems with Opera entering an endless memory allocation
  loop).

It does not seem affect older MSIE versions, such as 4.72.3110.4. I can be
wrong, but I don't think I've seen any hotfix that would be related to
this problem directly. Was it silently fixed by one of the fixes for other
ASN.1 / SSL problems?

The other example I have is http://lcamtuf.coredump.cx/test2.crt, which
can be used directly and causes something that appears to be a
non-exploitable segfault in newer Netscape, probably also in Mozilla.
Note: It would be also nice to look at certificate revocation files (crl),
as they are often imported without prompting the user. Generally speaking,
it seems that SSL clients are at least as broken as OpenSSL used to be.

-- 
Michal Zalewski

- Wenn ist das Nunstruck git und Slotermeyer?
- Ja! ... Beiherhund das Oder die Flipperwaldt gersput.