Netscape Communicator Inconsistent SSL Certificate Warning Vulnerability
BID:1260
Info
Netscape Communicator Inconsistent SSL Certificate Warning Vulnerability
| Bugtraq ID: | 1260 |
| Class: | Origin Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 25 2000 12:00AM |
| Updated: | May 25 2000 12:00AM |
| Credit: | This vulnerability was recently discovered by Kevin Fu of of the Massachusetts Institute of Technology and, independently, by Jon Guyer. |
| Vulnerable: |
Netscape Communicator 4.73 Netscape Communicator 4.72 Netscape Communicator 4.61 Netscape Communicator 4.51 Netscape Communicator 4.7 Netscape Communicator 4.6 Netscape Communicator 4.5 Netscape Communicator 4.0 |
| Not Vulnerable: | |
Discussion
Netscape Communicator Inconsistent SSL Certificate Warning Vulnerability
From the CERT Advisory (see Credit):
A flaw exists in Netscape Navigator that could allow an attacker to masquerade as a legitimate web site if the attacker can compromise the validity of certain DNS information. This is different from the problem reported in CERT Advisory CA-2000-05, but it has a similar impact.
Within one Netscape session, if a user clicks on "continue" in response to a "hostname does not match name in certificate" error, then that certificate is incorrectly validated for future use in the Netscape session, regardless of the hostname or IP address of other servers that use the certificate.
From the CERT Advisory (see Credit):
A flaw exists in Netscape Navigator that could allow an attacker to masquerade as a legitimate web site if the attacker can compromise the validity of certain DNS information. This is different from the problem reported in CERT Advisory CA-2000-05, but it has a similar impact.
Within one Netscape session, if a user clicks on "continue" in response to a "hostname does not match name in certificate" error, then that certificate is incorrectly validated for future use in the Netscape session, regardless of the hostname or IP address of other servers that use the certificate.
Exploit / POC
Netscape Communicator Inconsistent SSL Certificate Warning Vulnerability
From the CERT Advisory (see Credit):
Suppose that an attacker constructs a web site named example.com, authenticated by a certificate that does not match example.com, and convinces a victim to navigate there. Netscape will present a warning dialog indicating that the site to which the user thinks she's navigating (www.example.com) does not match the information presented in the certificate. If the user does not intend to provide any sensitive information to www.example.com, she may choose to continue with the connection (i.e., she may choose to click "OK" in response to the warning dialog), possibly attributing the warning dialog to a benevolent misconfiguration on the part of example.com or failing to understand the implications of the warning dialog.
Then, within the same session, no warning dialogs will be presented under the following circumstances:
- the attacker co-opts the DNS system in some fashion to cause the DNS name of a legitimate site to resolve to the IP address of a system under the control of the attacker
- the system under the control of the attacker is authenticated using the same certificate as www.example.com, which the user previously accepted in the warning dialog mentioned above
- the victim attempts to connect to the legitimate site (but instead gets directed to the site under the control of the attacker by virtue of the attack on DNS)
This allows the attacker to bypass the ordinary "sanity checking" done by Netscape, and the result is that the user may provide sensitive information to the attacker.
From the CERT Advisory (see Credit):
Suppose that an attacker constructs a web site named example.com, authenticated by a certificate that does not match example.com, and convinces a victim to navigate there. Netscape will present a warning dialog indicating that the site to which the user thinks she's navigating (www.example.com) does not match the information presented in the certificate. If the user does not intend to provide any sensitive information to www.example.com, she may choose to continue with the connection (i.e., she may choose to click "OK" in response to the warning dialog), possibly attributing the warning dialog to a benevolent misconfiguration on the part of example.com or failing to understand the implications of the warning dialog.
Then, within the same session, no warning dialogs will be presented under the following circumstances:
- the attacker co-opts the DNS system in some fashion to cause the DNS name of a legitimate site to resolve to the IP address of a system under the control of the attacker
- the system under the control of the attacker is authenticated using the same certificate as www.example.com, which the user previously accepted in the warning dialog mentioned above
- the victim attempts to connect to the legitimate site (but instead gets directed to the site under the control of the attacker by virtue of the attack on DNS)
This allows the attacker to bypass the ordinary "sanity checking" done by Netscape, and the result is that the user may provide sensitive information to the attacker.
Solution / Fix
Netscape Communicator Inconsistent SSL Certificate Warning Vulnerability
References
Netscape Communicator Inconsistent SSL Certificate Warning Vulnerability
References:
References: